Cross-Site Request Forgery Vulnerability in WordPress by Automattic
CVE-2014-5204

Currently unrated

Key Information:

Vendor: Wordpress
Status: Debian Linux
Vendor: CVE Published:; 18 August 2014

Summary

A vulnerability has been identified in the WordPress platform where the CSRF protection mechanism does not consistently reject invalid CSRF nonces. Specifically, the rejection timing differs based on which characters in the nonce are incorrect, enabling attackers to optimize brute-force attacks, potentially allowing unauthorized actions on behalf of legitimate users.

References

http://www.debian.org/security/2014/dsa-3001

vendor-advisoryx_refsource_DEBIAN

https://wordpress.org/news/2014/08/wordpress-3-9-2/

x_refsource_CONFIRM

https://core.trac.wordpress.org/changeset/29384

x_refsource_CONFIRM

Timeline

Vulnerability published
Aug 18, 2014
Vulnerability Reserved
Aug 13, 2014