Description

wp-includes/pluggable.php in WordPress before 3.9.2 does not use delimiters during concatenation of action values and uid values in CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack.

Remediation

References

CVE-2014-5205

Related Vulnerabilities

WordPress 3.1.2 Multiple Vulnerabilities (3.0.1 - 3.1.2)

WordPress Plugin WP-PostRatings Cross-Site Scripting (1.50)

PHP Improper Input Validation Vulnerability (CVE-2011-1470)

Python Other Vulnerability (CVE-2015-5652)

WordPress Plugin Virim PHP Object Injection (0.4)

Severity

Medium

Classification

CVE-2014-5205 CWE-352

Tags

Missing Update Known Vulnerabilities