- The attackers can discover valid session identifiers via a brute-force attack, because this WordPress version does not invalidate a wordpress_sec session cookie upon an administrator's logout action.
- The application should keep track of session identifiers where a user has explicitly logged out and prevent those sessions from connecting to the application.
- Name CVE-2012-5868
Fixed In 3.4.3
- Disclosure date
- Christopher Emerson