Wordpress - cleartext admin credentials disclosure

Question

I am testing my own wordpress blog against security issues with wpscan.

Honestly I have never done that before and was shocked after I saw the result.

One vulnerability of my wordpress site is:

[+] WordPress version 3.8 identified from rss generator
[!] 1 vulnerabilities identified from the version number
 |
 | * Title: wp-admin/options-writing.php Cleartext Admin Credentials Disclosure
 | * Reference: http://seclists.org/fulldisclosure/2013/Dec/135
 | * Reference: http://osvdb.org/101101

What does that mean? Is it easy for attackers to get admin rights on my site? If so how could sb do such a thing? How can I secure against this?

I appreciate your answer

Have you checked the links that the error gives you as references. They do a rather nice job of explaining. — AJ Henderson, Jan 09 '14 at 19:27

AJ Henderson · Answer 1 · 2014-01-09T19:38:55.547

1

If you check the references in the warning you put in the question, it explains that the password used for E-mail is stored in plain text in the DB and that this may be disclosed. It appears to only potentially leak the credentials associated with the e-mail account used to send messages for the forum.

edited Jan 09 '14 at 19:38

answered Jan 09 '14 at 19:29

AJ Henderson

41,816
5
63
110

Wordpress - cleartext admin credentials disclosure

1 Answers1