cbcvebase.
CVE-2014-5266
published 2014-08-18

CVE-2014-5266: The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in…

PriorityP337medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
24.39%
97.6th percentile
The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote attackers to cause a denial of service (CPU consumption) via a large document, a different vulnerability than CVE-2014-5265.

Affected

102 ranges· showing 25
VendorProductVersion rangeFixed in
debiandebian_linux
debianwordpress< wordpress 3.9.2+dfsg-1 (bookworm)wordpress 3.9.2+dfsg-1 (bookworm)
drupaldrupal
drupaldrupal
drupaldrupal
drupaldrupal
drupaldrupal
drupaldrupal
drupaldrupal
drupaldrupal
drupaldrupal
drupaldrupal
drupaldrupal
drupaldrupal
drupaldrupal
drupaldrupal
drupaldrupal
drupaldrupal
drupaldrupal
drupaldrupal
drupaldrupal
drupaldrupal
drupaldrupal
drupaldrupal
drupaldrupal

Detection & IOCsextracted from sources · hover to see the quote

pathxmlrpc.php
  • Monitor for abnormally large XML POST bodies sent to xmlrpc.php, which is the attack vector for this XML element count exhaustion DoS.
  • All WordPress and Drupal sites exposing xmlrpc.php are vulnerable regardless of whether XML-RPC functionality is actively used.
  • The specific fix was to bail/skip parsing when an unreasonably large number of XML tags/elements is present in the document — detect requests where XML element count is excessively high.
  • The OpenID module endpoint (xrds.inc) is also an attack surface on sites with OpenID enabled, in addition to xmlrpc.php.
  • Metasploit auxiliary module exists for this DoS; watch for its characteristic large XML-RPC POST requests to WordPress xmlrpc.php.
  • ·Affected versions span WordPress 3.5 through 3.9.2 (patched in 3.9.2, 3.8.4, 3.7.4) and Drupal 6.x before 6.33 / 7.x before 7.31; detection should account for all these version ranges.
  • ·The vulnerability is in the shared IXR Library used by both WordPress and Drupal; any application embedding this library may also be affected.

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_debian5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.