CVE-2009-2334: wp-admin/admin.php in WordPress and WordPress MU before 2.8.1 does not require administrative authentication to access the configuration of a plugin, ...

Description

wp-admin/admin.php in WordPress and WordPress MU before 2.8.1 does not require administrative authentication to access the configuration of a plugin, which allows remote attackers to specify a configuration file in the page parameter to obtain sensitive information or modify this file, as demonstrated by the (1) collapsing-archives/options.txt, (2) akismet/readme.txt, (3) related-ways-to-take-action/options.php, (4) wp-security-scan/securityscan.php, and (5) wp-ids/ids-admin.php files. NOTE: this can be leveraged for cross-site scripting (XSS) and denial of service.

Metrics

EPSS Probability

6.26%

92.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-287

Affected Software

Vendor	Product	Versions	Update
Wordpress	Wordpress	<= 2.7.1	—
Wordpress	Wordpress	0.6.2	—
Wordpress	Wordpress	0.6.2.1	—
Wordpress	Wordpress	0.7	—
Wordpress	Wordpress	0.71	—
Wordpress	Wordpress	0.71-gold	—
Wordpress	Wordpress	0.72	—
Wordpress	Wordpress	0.711	—
Wordpress	Wordpress	1.0	—
Wordpress	Wordpress	1.0-platinum	—
Wordpress	Wordpress	1.0.1	—
Wordpress	Wordpress	1.0.1-miles	—
Wordpress	Wordpress	1.0.2	—
Wordpress	Wordpress	1.0.2-blakey	—
Wordpress	Wordpress	1.2	—
Wordpress	Wordpress	1.2-delta	—
Wordpress	Wordpress	1.2-mingus	—
Wordpress	Wordpress	1.2.1	—
Wordpress	Wordpress	1.2.2	—
Wordpress	Wordpress	1.3.1	—
Wordpress	Wordpress	1.4	—
Wordpress	Wordpress	1.5	—
Wordpress	Wordpress	1.5-strayhorn	—
Wordpress	Wordpress	1.5.1	—
Wordpress	Wordpress	1.5.1.1	—
Wordpress	Wordpress	1.5.1.2	—
Wordpress	Wordpress	1.5.1.3	—
Wordpress	Wordpress	1.5.2	—
Wordpress	Wordpress	1.6	—
Wordpress	Wordpress	2.0	—
Wordpress	Wordpress	2.0.1	—
Wordpress	Wordpress	2.0.2	—
Wordpress	Wordpress	2.0.3	—
Wordpress	Wordpress	2.0.4	—
Wordpress	Wordpress	2.0.5	—
Wordpress	Wordpress	2.0.6	—
Wordpress	Wordpress	2.0.7	—
Wordpress	Wordpress	2.0.8	—
Wordpress	Wordpress	2.0.9	—
Wordpress	Wordpress	2.0.10	—
Wordpress	Wordpress	2.0.10_rc1	—
Wordpress	Wordpress	2.0.10_rc2	—
Wordpress	Wordpress	2.0.11	—
Wordpress	Wordpress	2.1	—
Wordpress	Wordpress	2.1.1	—
Wordpress	Wordpress	2.1.2	—
Wordpress	Wordpress	2.1.3	—
Wordpress	Wordpress	2.1.3_rc1	—
Wordpress	Wordpress	2.1.3_rc2	—
Wordpress	Wordpress	2.2	—

Showing 50 of 86 affected configurations. See NVD for the full list.

References

Timeline

Published: Jul 10, 2009
Last Modified: Jun 16, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2009-2334?

wp-admin/admin.php in WordPress and WordPress MU before 2.8.1 does not require administrative authentication to access the configuration of a plugin, which allows remote attackers to specify a configuration file in the page parameter to obtain sensitive information or modify this file, as demonstrated by the (1) collapsing-archives/options.txt, (2) akismet/readme.txt, (3) related-ways-to-take-action/options.php, (4) wp-security-scan/securityscan.php, and (5) wp-ids/ids-admin.php files. NOTE: this can be leveraged for cross-site scripting (XSS) and denial of service.

How severe is CVE-2009-2334?

Severity scoring for CVE-2009-2334 is pending analysis. The EPSS model estimates a 6.26% probability of exploitation in the next 30 days.

How do I fix CVE-2009-2334?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.