CVE-2014-9038 — Improper Input Validation in Wordpress

CWE-20 — Improper Input Validation5 documents5 sources

Severity

6.4MEDIUMNVD

EPSS

1.2%

top 20.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wordpress Debian Wordpress

Timeline

PublishedNov 25

Latest updateMay 17

Description

wp-includes/http.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to conduct server-side request forgery (SSRF) attacks by referring to a 127.0.0.0/8 resource.

CVSS vector

AV:N/AC:L/C:P/I:P/A:NExploitability: 10.0 | Impact: 4.9

Affected Packages3 packages

▶debiandebian/wordpress< wordpress 4.0.1+dfsg-1 (bookworm)

▶Debianwordpress/wordpress< 4.0.1+dfsg-1+3

▶NVDwordpress/wordpress3.7.4+9

Patches

Patch: wordpress.org ↗Patch: wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-gq5c-r56r-pjjx: wp-includes/http↗2022-05-17

▶

OSV

CVE-2014-9038: wp-includes/http↗2014-11-25

▶

📋Vendor Advisories

Debian

CVE-2014-9038: wordpress - wp-includes/http.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before...↗2014

▶

💬Community

Bugzilla

CVE-2014-9031 CVE-2014-9032 CVE-2014-9033 CVE-2014-9034 CVE-2014-9035 CVE-2014-9036 CVE-2014-9037 CVE-2014-9038 CVE-2014-9039 wordpress: security flaws fixed in the 4.0.1 release↗2014-11-21

▶