Found a disclosure during authentication to a blog for version 2.1.2.

When a person logs in with the wrong username into /wp-admin, the error message states “ERROR: Incorrect username”.

Whereas if you put enter the correct username and the wrong password, you get the following.

The problem is that WordPress is disclosing that that username doesn’t exist, therefore providing more information to someone who wants to bruteforce username/password combinations. Once they’ve guessed a correct username (other than the default admin), they only have 1 field to bruteforce reducing the time needed.

The solution should say “ERROR: Incorrect username/password” to not disclose which one was incorrect.

WordPress.org was notified on the 8th March via wordpress.org/support and security@wordpress.org.