CVE-2014-5204

Currently unrated

Key Information:

Vendor: Wordpress
Status: Debian Linux
Vendor: CVE Published:; 18 August 2014

Summary

wp-includes/pluggable.php in WordPress before 3.9.2 rejects invalid CSRF nonces with a different timing depending on which characters in the nonce are incorrect, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack.

References

http://www.debian.org/security/2014/dsa-3001

vendor-advisoryx_refsource_DEBIAN

https://wordpress.org/news/2014/08/wordpress-3-9-2/

x_refsource_CONFIRM

https://core.trac.wordpress.org/changeset/29384

x_refsource_CONFIRM

Timeline

Vulnerability published
Aug 18, 2014
Vulnerability Reserved
Aug 13, 2014