cbcvebase.
CVE-2014-9034
published 2014-11-25

CVE-2014-9034: wp-includes/class-phpass.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to cause a denial…

PriorityP346medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
83.16%
99.6th percentile
wp-includes/class-phpass.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to cause a denial of service (CPU consumption) via a long password that is improperly handled during hashing, a similar issue to CVE-2014-9016.

Affected

15 ranges
VendorProductVersion rangeFixed in
debianwordpress< wordpress 4.0.1+dfsg-1 (bookworm)wordpress 4.0.1+dfsg-1 (bookworm)
wordpresswordpress<= 3.7.4
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress>= 0 < 4.0.1+dfsg-14.0.1+dfsg-1
wordpresswordpress>= 0 < 4.0.1+dfsg-14.0.1+dfsg-1
wordpresswordpress>= 0 < 4.0.1+dfsg-14.0.1+dfsg-1
wordpresswordpress>= 0 < 4.0.1+dfsg-14.0.1+dfsg-1

Detection & IOCsextracted from sources · hover to see the quote

path/wp-login.php
pathwp-includes/class-phpass.php
commandfor i in `seq 1 150`; do (curl --data @valid_user_payload http://yoursite/wordpress/wp-login.php --silent > /dev/null &); sleep 0.25; done
  • Detect DoS attempts by monitoring for POST requests to /wp-login.php with extremely large password field values (e.g., 1,000,000 characters/bytes), which trigger excessive CPU consumption in the phpass hashing routine.
  • Alert on high-frequency concurrent POST requests to /wp-login.php from the same source IP, consistent with the exploit pattern of spawning ~150 parallel curl requests with short sleep intervals.
  • Flag POST requests to /wp-login.php where the Content-Length or body size exceeds a reasonable threshold (e.g., >4096 bytes), as the attack relies on submitting a password of up to 1,000,000 characters.
  • Monitor for the legacy/suspicious User-Agent string used in the PHP-based PoC exploit when targeting wp-login.php.
  • Spike in CPU consumption on the WordPress server correlating with bursts of login POST requests is a key behavioral indicator of this DoS vulnerability being exploited.
  • ·The vulnerability exists specifically in wp-includes/class-phpass.php and affects WordPress versions before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1. Detection rules should be scoped to unpatched instances.
  • ·The exploit can be performed with a valid WordPress user account, meaning authentication-based rate limiting alone is insufficient — the attack succeeds before the password is validated.
  • ·The PHP-based PoC uses curl_multi to send concurrent requests in a loop, meaning the attack traffic may appear distributed across multiple handles from a single process, potentially evading simple per-connection rate limits.

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_debian5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.