CVE-2005-4463
Description
WordPress before 1.5.2 allows remote attackers to obtain sensitive information via a direct request to (1) wp-includes/vars.php, (2) wp-content/plugins/hello.php, (3) wp-admin/upgrade-functions.php, (4) wp-admin/edit-form.php, (5) wp-settings.php, and (6) wp-admin/edit-form-comment.php, which leaks the path in an error message related to undefined functions or failed includes. NOTE: the wp-admin/menu-header.php vector is already covered by CVE-2005-2110. NOTE: the vars.php, edit-form.php, wp-settings.php, and edit-form-comment.php vectors were also reported to affect WordPress 2.0.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
10cpe:2.3:a:wordpress:wordpress:1.0:*:*:*:*:*:*:*+ 9 more
- cpe:2.3:a:wordpress:wordpress:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress:wordpress:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress:wordpress:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress:wordpress:1.2:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress:wordpress:1.5:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress:wordpress:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress:wordpress:1.5.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress:wordpress:1.5.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress:wordpress:2.0.1:*:*:*:*:*:*:*
- (no CPE)range: <1.5.2
Patches
Vulnerability mechanics
Root cause
"Direct access to PHP files that depend on WordPress core functions being loaded first causes PHP to emit fatal errors that leak the server filesystem path."
Attack vector
An unauthenticated remote attacker sends an HTTP GET request directly to one of several WordPress PHP files (e.g., wp-includes/vars.php, wp-content/plugins/hello.php, wp-admin/upgrade-functions.php, wp-admin/edit-form.php, wp-settings.php, wp-admin/edit-form-comment.php) without going through the normal WordPress bootstrap. Because these files rely on functions or constants defined elsewhere (e.g., get_settings(), wptexturize(), _e(), __(), or the ABSPATH constant), PHP throws a fatal error that includes the full installation path in the error message [ref_id=1][ref_id=2]. No authentication or special network position is required; the attacker only needs to know the WordPress base URL.
Affected code
The vulnerable files are: wp-includes/vars.php (line 106 calls undefined get_settings()), wp-content/plugins/hello.php (line 44 calls undefined wptexturize()), wp-admin/upgrade-functions.php (line 3 uses undefined ABSPATH constant), wp-admin/edit-form.php (line 3 calls undefined _e()), wp-settings.php (line 59 uses undefined ABSPATH constant), and wp-admin/edit-form-comment.php (line 2 calls undefined __()) [ref_id=1][ref_id=2].
What the fix does
The advisory does not provide a code patch. The recommended remediation is a server-level configuration change: set `display_errors` to Off and enable `log_errors` in php.ini so that error messages are written to a log file instead of being displayed in the HTTP response [ref_id=1][ref_id=2]. This prevents the filesystem path from being disclosed to remote users. The advisory notes that this fix applies to users who "do not know how to fix the script" [ref_id=2].
Preconditions
- configWordPress installation must have PHP display_errors enabled (default in many PHP configurations)
- authNo authentication required
- networkAttacker must be able to send HTTP requests to the WordPress server
- inputAttacker sends a direct HTTP GET request to one of the listed PHP files
Reproduction
1. Identify the base URL of a WordPress installation (version < 1.5.2). 2. Send a GET request to `http://victim/[WP Folder]/wp-includes/vars.php?PHP_SELF%20=dudul`. 3. Observe the response contains a fatal error message that includes the full server path, e.g., `/var/www/html/blog/wp-includes/vars.php` [ref_id=1][ref_id=2]. 4. Repeat with any of the other listed files: wp-content/plugins/hello.php, wp-admin/upgrade-functions.php, wp-admin/edit-form.php, wp-settings.php, or wp-admin/edit-form-comment.php.
Generated on Jun 17, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- echo.or.id/adv/adv24-theday-2005.txtnvdExploitVendor Advisory
- neosecurityteam.net/advisories/Advisory-17.txtnvd
- securityreason.com/securityalert/286nvd
- www.securityfocus.com/archive/1/419994/100/0/threadednvd
- www.securityfocus.com/archive/1/419999/100/0/threadednvd
- www.securityfocus.com/archive/1/426304/100/0/threadednvd
News mentions
0No linked articles in our index yet.