Description

The sanitize_widget_instance function in wp-includes/class-wp-customize-widgets.php in WordPress before 4.2.4 does not use a constant-time comparison for widgets, which allows remote attackers to conduct a timing side-channel attack by measuring the delay before inequality is calculated.

Remediation

References

CVE-2015-5730

Related Vulnerabilities

PHP Permissions, Privileges, and Access Controls Vulnerability (CVE-2009-3557)

Lighttpd Permissions, Privileges, and Access Controls Vulnerability (CVE-2013-4559)

WordPress Plugin Simple Social Media Share Buttons-Social Sharing for Everyone Cross-Site Scripting (3.2.2)

WordPress Plugin FreshMail For WordPress Multiple SQL Injection Vulnerabilities (1.5.8)

Apache HTTP Server CVE-2012-0031 Vulnerability (CVE-2012-0031)

Severity

Medium

Classification

CVE-2015-5730 CWE-200

Tags

Missing Update Known Vulnerabilities