WordPress version 3.3.1 is prone to PHP code execution and persistent cross-site scripting vulnerabilities via “setup-config.php” page. The attackers can host their own MySQL database server and then successfully complete the WordPress installation without having any valid credentials on the target system. After that they can inject malicious PHP code through the WordPress Themes editor.
Also, there are multiple cross-site scripting vulnerabilities in “setup-config.php” page. An attacker can supply Javascript within the “dbname”, “dbhost” or “uname” parameters.
Password disclosure vulnerability via “setup-config.php” page has been discovered in WordPress 3.3.1. It allows an attacker to omit the “dbname” parameter, that lets them continually bruteforce MySQL instance usernames and passwords. It includes any local or remote MySQL instances which are accessible to the
target web server.
Update WordPress.