Support » Requests and Feedback » Authentication Information Disclosure in 2.1.2

  • Hi WordPress team,

    Found a disclosure during authentication to a blog for version 2.1.2.

    When a person logs in with the wrong username into /wp-admin, the error message states “ERROR: Incorrect username”.

    The problem is that WordPress is disclosing that that username doesn’t exist, therefore providing more information to someone who wants to bruteforce username/password combinations. Once they’ve guessed a correct username (other than the default admin), they only have 1 field to bruteforce reducing the time needed.

    Not too big a deal, but the solution should say “ERROR: Incorrect username/password” to not disclose which one was incorrect.

Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
  • The topic ‘Authentication Information Disclosure in 2.1.2’ is closed to new replies.