CVE-2014-5204 — Cross-Site Request Forgery in Wordpress

CWE-352 — Cross-Site Request Forgery8 documents6 sources

Severity

6.8MEDIUMNVD

EPSS

0.2%

top 53.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wordpress Debian Wordpress Debian Linux

Timeline

PublishedAug 18

Latest updateMay 17

Description

wp-includes/pluggable.php in WordPress before 3.9.2 rejects invalid CSRF nonces with a different timing depending on which characters in the nonce are incorrect, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages3 packages

▶debiandebian/wordpress< wordpress 3.9.2+dfsg-1 (bookworm)

▶Debianwordpress/wordpress< 3.9.2+dfsg-1+3

▶NVDwordpress/wordpress3.9.1+1

Also affects: Debian Linux 7.0

Patches

Patch: wordpress.org ↗Patch: wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-72g8-w2mw-jmg3: wp-includes/pluggable↗2022-05-17

▶

OSV

CVE-2014-5204: wp-includes/pluggable↗2014-08-18

▶

💥Exploits & PoCs

Exploit-DB

AVG Internet Security 2015.0.5315 - Arbitrary Write Privilege Escalation↗2015-02-04

▶

📋Vendor Advisories

Debian

CVE-2014-5204: wordpress - wp-includes/pluggable.php in WordPress before 3.9.2 rejects invalid CSRF nonces ...↗2014

▶

💬Community

Bugzilla

CVE-2014-5203 CVE-2014-5204 CVE-2014-5205 CVE-2014-5240 wordpress: multiple vulnerabilities fixed upstream↗2014-08-13

▶

Bugzilla

CVE-2014-5203 CVE-2014-5205 CVE-2014-5204 wordpress: multiple vulnerabilities fixed upstream [epel-all]↗2014-08-13

▶

Bugzilla

CVE-2014-5203 CVE-2014-5205 CVE-2014-5204 wordpress: multiple vulnerabilities fixed upstream [fedora-all]↗2014-08-13

▶