CVE-2015-5730 — Sensitive Information Exposure in Wordpress

CWE-200 — Sensitive Information Exposure6 documents6 sources

Severity

5.0MEDIUMNVD

EPSS

9.5%

top 7.13%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wordpress Debian Wordpress

Timeline

PublishedNov 9

Latest updateAug 23

Description

The sanitize_widget_instance function in wp-includes/class-wp-customize-widgets.php in WordPress before 4.2.4 does not use a constant-time comparison for widgets, which allows remote attackers to conduct a timing side-channel attack by measuring the delay before inequality is calculated.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/wordpress< wordpress 4.2.4+dfsg-1 (bookworm)

▶Debianwordpress/wordpress< 4.2.4+dfsg-1+3

▶NVDwordpress/wordpress4.2.3

Patches

Patch: codex.wordpress.org ↗Patch: wordpress.org ↗Patch: codex.wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-g4h2-wpj9-vf75: The sanitize_widget_instance function in wp-includes/class-wp-customize-widgets↗2022-05-17

▶

OSV

CVE-2015-5730: The sanitize_widget_instance function in wp-includes/class-wp-customize-widgets↗2015-11-09

▶

📋Vendor Advisories

Debian

CVE-2015-5730: wordpress - The sanitize_widget_instance function in wp-includes/class-wp-customize-widgets....↗2015

▶

📄Research Papers

arXiv

Empirical Analysis of Software Vulnerabilities Causing Timing Side Channels↗2023-08-23

▶

💬Community

Bugzilla

CVE-2015-2213 CVE-2015-5730 CVE-2015-5731 CVE-2015-5732 CVE-2015-5733 CVE-2015-5734 wordpress: cross-site scripting vulnerabilities and a potential SQL injection↗2015-08-05

▶