ThreatPress

WordPress Vulnerabilities Database

Back

WordPress <=3.9.1 - Multiple Vulnerabilities #2

Product
WordPress
Description
wp-includes/pluggable.php rejects invalid CSRF nonces with a different timing depending on which characters in the nonce are incorrect, that allows the attackers to bypass a CSRF protection mechanism via a brute-force attack. Related records: http://db.threatpress.com/vulnerability/wordpress/wordpress-3-9-1-multiple-vulnerabilities
Solution
Update WordPress.
Classification
Type Multi
References
CVE Mitre
CVE
Name CVE-2014-5204
Versions
Affected In <= 3.9.1
Fixed In 3.9.2
Disclosure date
2014-08-13
Credits
David Tomaschik