Description

wp-includes/pluggable.php in WordPress before 3.9.2 rejects invalid CSRF nonces with a different timing depending on which characters in the nonce are incorrect, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack.

Remediation

References

CVE-2014-5204

Related Vulnerabilities

WordPress Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2011-0700)

WordPress Plugin Double Opt-In for Download Multiple Cross-Site Scripting Vulnerabilities (2.1.5)

OpenSSL Session Fixation Vulnerability (CVE-1999-0428)

MySQL CVE-2022-21638 Vulnerability (CVE-2022-21638)

Caddy Web Server URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2022-29718)

Severity

Medium

Classification

CVE-2014-5204 CWE-352

Tags

Missing Update Known Vulnerabilities