Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2014-5266 — Wordpress vulnerability

7 documents6 sources

Severity

5.0MEDIUMNVD

EPSS

76.3%

top 1.06%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Wordpress Debian Wordpress Debian Linux +1 more

Timeline

PublishedAug 18

Latest updateMay 17

Description

The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote attackers to cause a denial of service (CPU consumption) via a large document, a different vulnerability than CVE-2014-5265.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages4 packages

▶debiandebian/wordpress< wordpress 3.9.2+dfsg-1 (bookworm)

▶Debianwordpress/wordpress< 3.9.2+dfsg-1+3

▶NVDwordpress/wordpress3.9.1+30

▶NVDdrupal/drupal65 versions+64

Also affects: Debian Linux 7.0

🔴Vulnerability Details

GHSA

GHSA-mqgc-42gw-w5hm: The Incutio XML-RPC (IXR) Library, as used in WordPress before 3↗2022-05-17

▶

OSV

CVE-2014-5266: The Incutio XML-RPC (IXR) Library, as used in WordPress before 3↗2014-08-18

▶

💥Exploits & PoCs

Metasploit

Wordpress XMLRPC DoS↗

▶

📋Vendor Advisories

Debian

CVE-2014-5266: wordpress - The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal ...↗2014

▶

💬Community

Bugzilla

CVE-2014-5265 CVE-2014-5266 CVE-2014-5267 drupal: denial of service issue (SA-CORE-2014-004)↗2014-08-07

▶

Bugzilla

CVE-2014-5265 CVE-2014-5266 wordpress: security issues fixed in version 3.9.2↗2014-08-07

▶