Well if you use a code injection vunerability you can display tables and such without actually
having login access to the database. Finding a input feild (say URL or text input box) without
correct input validation can provide this level of access.
Since Wordpress then, effectively thru cookies, uses MD5 hashes of passwords as passwords then
it's stupid simple to gain access to any account.
To look at it this way...
A similar example would be on old Unix boxes without shadow passwords. Say you get access to a
FTP accound all you have to do is then download the /etc/passwd file. This is very easy to do
since everything uses that file for doing such mundane things as mapping a username to uid.
Any network service, any user program, any user account can allow access to /etc/passwd. You
don't need to be root to do that.
It appears to me that password table in the sql database is pretty much equivelent to
Well in those old Unix/Linux systems the passwords would be encrypted in some manner. The
attacker would then have to run a brute force program to find passwords that match the hashes.
However.. Wordpress is so badly designed that the attacker does not have to even do that. Once
they obtain the hash of the password they can actually use the hash _as_the_password_. It's
So this vunerability is a combination of a attacker finding bad input validation and badly
designed Single-Sign-On authentication systems based on browser cookies.