ThreatPress

WordPress Vulnerabilities Database

Back

WordPress <= 3.4.2

Product
WordPress
Description
The attackers can discover valid session identifiers via a brute-force attack, because this WordPress version does not invalidate a wordpress_sec session cookie upon an administrator's logout action.
Solution
The application should keep track of session identifiers where a user has explicitly logged out and prevent those sessions from connecting to the application.
Classification
Type Unknown
References
CVE Mitre
CVE
Name CVE-2012-5868
Versions
Affected In <= 3.4.2
Fixed In 3.4.3
Disclosure date
2012-11-14
Credits
Christopher Emerson