Wordpress : Security Vulnerabilities, CVEs, Published In 2014 (CSRF)
Cross-site request forgery (CSRF) vulnerability in wp-login.php in WordPress 3.7.4, 3.8.4, 3.9.2, and 4.0 allows remote attackers to hijack the authentication of arbitrary users for requests that reset passwords.
Max CVSS
6.8
EPSS Score
0.29%
Published
2014-11-25
Updated
2015-11-02
wp-includes/pluggable.php in WordPress before 3.9.2 does not use delimiters during concatenation of action values and uid values in CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack.
Max CVSS
6.8
EPSS Score
0.16%
Published
2014-08-18
Updated
2014-11-14
wp-includes/pluggable.php in WordPress before 3.9.2 rejects invalid CSRF nonces with a different timing depending on which characters in the nonce are incorrect, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack.
Max CVSS
6.8
EPSS Score
0.15%
Published
2014-08-18
Updated
2015-11-25
3 vulnerabilities found