Description

wp-includes/pluggable.php in WordPress before 3.9.2 rejects invalid CSRF nonces with a different timing depending on which characters in the nonce are incorrect, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack.

Remediation

References

CVE-2014-5204

Related Vulnerabilities

Liferay Portal Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2021-33332)

WordPress Plugin Zoho CRM Lead Magnet Cross-Site Scripting (1.7.2.8)

Apache HTTP Server Other Vulnerability (CVE-2010-0408)

Moodle DEPRECATED: Code Vulnerability (CVE-2015-3177)

Jenkins Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2015-7536)

Severity

Medium

Classification

CVE-2014-5204 CWE-352

Tags

Missing Update Known Vulnerabilities