Description
wp-includes/pluggable.php in WordPress before 3.9.2 does not use delimiters during concatenation of action values and uid values in CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack.
Remediation
References
Related Vulnerabilities
WordPress 3.9.x Multiple Vulnerabilities (3.9 - 3.9.28)
WordPress Improper Input Validation Vulnerability (CVE-2009-2431)
PostgreSQL Other Vulnerability (CVE-2002-1399)
MyBB Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-9410)
WordPress Plugin Gallery-Flagallery Photo Portfolio Multiple Vulnerabilities (2.00)