Wordpress 1.5 and earlier allows remote attackers to obtain sensitive information via a direct request to files in (1) wp-content/themes/, (2) wp-includes/, or (3) wp-admin/, which reveal the path in an error message.
Threat-Mapped Scoring
Score: 3.0
Priority: P2 - Serious (High)
S1 – Steal Customer Account Information
EPSS
Score: 0.00622Percentile:
0.69143
CVSS Scoring
CVSS v3.1 Score: 5.3
Severity: MEDIUM
Mapped CWE(s)
CWE-425
: Direct Request ('Forced Browsing')
All CAPEC(s)
CAPEC-127 : Directory Indexing
CAPEC-143 : Detect Unpublicized Web Pages
CAPEC-144 : Detect Unpublicized Web Services
CAPEC-668 : Key Negotiation of Bluetooth Attack (KNOB)
CAPEC-87 : Forceful Browsing
CAPEC(s) with Mapped TTPs
CAPEC-127 : Directory Indexing
Mapped TTPs:
T1083
: File and Directory Discovery
CAPEC-668 : Key Negotiation of Bluetooth Attack (KNOB)
Mapped TTPs:
Mapped ATT&CK TTPs
T1083
: File and Directory Discovery
Kill Chain: discovery
T1565.002
: Transmitted Data Manipulation
Kill Chain: impact
Malware
APTs Threat Group Associations
Campaigns
Operation Wocao SolarWinds Compromise Operation CuckooBees Operation Honeybee Operation Dream Job C0015 Night Dragon KV Botnet Activity
Affected Products
cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
← Back to Home
BrownCoat Threat Intelligence Platform | 2025 Steve Gray — You Can’t Take the Sky from Me