CVE-2007-6013 — Use of a Broken or Risky Cryptographic Algorithm in Wordpress

CWE-327 — Use of a Broken or Risky Cryptographic Algorithm CWE-287 — Improper Authentication11 documents7 sources

Severity

9.8CRITICALNVD

NVD7.5

EPSS

1.6%

top 18.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wordpress Debian Wordpress Fedoraproject Fedora

Timeline

PublishedNov 19

Latest updateMay 1

Description

Wordpress 1.5 through 2.3.1 uses cookie values based on the MD5 hash of a password MD5 hash, which allows attackers to bypass authentication by obtaining the MD5 hash from the user database, then generating the authentication cookie from that hash.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶debiandebian/wordpress< wordpress 2.5.1-1 (bookworm)+1

▶Debianwordpress/wordpress< 2.5.0-1+7

▶NVDwordpress/wordpress1.5 — 2.3.1+1

Also affects: Fedora 7, 8

🔴Vulnerability Details

GHSA

GHSA-5g78-mv2p-rh9c: Wordpress 1↗2022-05-01

▶

GHSA

GHSA-m86r-5c2c-w6rq: The cookie authentication method in WordPress 2↗2022-05-01

▶

OSV

CVE-2008-1930: The cookie authentication method in WordPress 2↗2008-04-28

▶

OSV

CVE-2007-6013: Wordpress 1↗2007-11-19

▶

📋Vendor Advisories

Debian

CVE-2008-1930: wordpress - The cookie authentication method in WordPress 2.5 relies on a hash of a concaten...↗2008

▶

Red Hat

wordpress cookie authentication vulnerability↗2007-11-19

▶

Debian

CVE-2007-6013: wordpress - Wordpress 1.5 through 2.3.1 uses cookie values based on the MD5 hash of a passwo...↗2007

▶

📐Framework References

CWE

Use of a Broken or Risky Cryptographic Algorithm↗

▶

💬Community

Bugzilla

CVE-2007-6013 wordpress cookie authentication vulnerability↗2007-11-20

▶