Description

wp-includes/pluggable.php in WordPress before 3.9.2 rejects invalid CSRF nonces with a different timing depending on which characters in the nonce are incorrect, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack.

Remediation

References

CVE-2014-5204

Related Vulnerabilities

WordPress 3.8.x Multiple Vulnerabilities (3.8 - 3.8.23)

WordPress Plugin NextScripts:Social Networks Auto-Poster Cross-Site Scripting (4.3.20)

WordPress 4.1.x Multiple Vulnerabilities (4.1 - 4.1.11)

Drupal Other Vulnerability (CVE-2006-3570)

Craft CMS Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2022-37247)

Severity

Medium

Classification

CVE-2014-5204 CWE-352

Tags

Missing Update Known Vulnerabilities