CVE-2014-5240 — Cross-site Scripting in Wordpress

CWE-79 — Cross-site Scripting CWE-362 — Race Condition8 documents7 sources

Severity

2.1LOWNVD

EPSS

0.6%

top 29.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wordpress Openstack Neutron Debian Wordpress +1 more

Timeline

PublishedAug 18

Latest updateMay 17

Description

Cross-site scripting (XSS) vulnerability in wp-includes/pluggable.php in WordPress before 3.9.2, when Multisite is enabled, allows remote authenticated administrators to inject arbitrary web script or HTML, and obtain Super Admin privileges, via a crafted avatar URL.

CVSS vector

AV:N/AC:H/C:N/I:P/A:NExploitability: 3.9 | Impact: 2.9

Affected Packages4 packages

▶debiandebian/wordpress< wordpress 3.9.2+dfsg-1 (bookworm)

▶Debianwordpress/wordpress< 3.9.2+dfsg-1+3

▶NVDwordpress/wordpress3.9.1+30

▶PyPIopenstack/neutron< 7.0.0

Also affects: Debian Linux 7.0

Patches

Patch: wordpress.org ↗Patch: wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-324x-63mr-8cqc: Cross-site scripting (XSS) vulnerability in wp-includes/pluggable↗2022-05-17

▶

GHSA

OpenStack Neutron Race condition vulnerability↗2022-05-17

▶

OSV

CVE-2014-5240: Cross-site scripting (XSS) vulnerability in wp-includes/pluggable↗2014-08-18

▶

📋Vendor Advisories

Red Hat

openstack-neutron: Firewall rules bypass through port update↗2015-09-08

▶

Debian

CVE-2014-5240: wordpress - Cross-site scripting (XSS) vulnerability in wp-includes/pluggable.php in WordPre...↗2014

▶

💬Community

Bugzilla

CVE-2015-5240 openstack-neutron: Firewall rules bypass through port update↗2015-08-31

▶

Bugzilla

CVE-2014-5203 CVE-2014-5204 CVE-2014-5205 CVE-2014-5240 wordpress: multiple vulnerabilities fixed upstream↗2014-08-13

▶