CVE-2014-9038 : wp-includes/http.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before

wp-includes/http.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to conduct server-side request forgery (SSRF) attacks by referring to a 127.0.0.0/8 resource.

Published 2014-11-25 23:59:09

Updated 2025-04-12 10:46:41

Source MITRE

View at NVD, CVE.org

Vulnerability category: Server-side request forgery (SSRF)

Products affected by CVE-2014-9038

Wordpress » Wordpress
Versions up to, including, (<=) 3.7.4
cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
Matching versions
Wordpress » Wordpress » Version: 3.8
cpe:2.3:a:wordpress:wordpress:3.8:*:*:*:*:*:*:*
Matching versions
Wordpress » Wordpress » Version: 3.8.1
cpe:2.3:a:wordpress:wordpress:3.8.1:*:*:*:*:*:*:*
Matching versions
Wordpress » Wordpress » Version: 3.9.1
cpe:2.3:a:wordpress:wordpress:3.9.1:*:*:*:*:*:*:*
Matching versions
Wordpress » Wordpress » Version: 3.8.2
cpe:2.3:a:wordpress:wordpress:3.8.2:*:*:*:*:*:*:*
Matching versions
Wordpress » Wordpress » Version: 3.9.2
cpe:2.3:a:wordpress:wordpress:3.9.2:*:*:*:*:*:*:*
Matching versions
Wordpress » Wordpress » Version: 3.8.4
cpe:2.3:a:wordpress:wordpress:3.8.4:*:*:*:*:*:*:*
Matching versions
Wordpress » Wordpress » Version: 3.8.3
cpe:2.3:a:wordpress:wordpress:3.8.3:*:*:*:*:*:*:*
Matching versions
Wordpress » Wordpress » Version: 3.9
cpe:2.3:a:wordpress:wordpress:3.9:*:*:*:*:*:*:*
Matching versions
Wordpress » Wordpress » Version: 4.0
cpe:2.3:a:wordpress:wordpress:4.0:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2014-9038

Top countries where our scanners detected CVE-2014-9038

Top open port discovered on systems with this issue 80

IPs affected by CVE-2014-9038 3,649

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2014-9038!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2014-9038

EPSS FAQ

1.24%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 78 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2014-9038

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
6.4	MEDIUM	AV:N/AC:L/Au:N/C:P/I:P/A:N	10.0	4.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: None

CWE ids for CVE-2014-9038

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-9038

http://www.debian.org/security/2014/dsa-3085

Debian -- Security Information -- DSA-3085-1 wordpress

CVEs referencing this url
https://core.trac.wordpress.org/changeset/30444

Changeset 30444 – WordPress Trac
Vendor Advisory
https://wordpress.org/news/2014/11/wordpress-4-0-1/

News – WordPress 4.0.1 Security Release – WordPress.org
Patch;Vendor Advisory

CVEs referencing this url
http://www.mandriva.com/security/advisories?name=MDVSA-2014:233

mandriva.com

CVEs referencing this url
http://advisories.mageia.org/MGASA-2014-0493.html

Mageia Advisory: MGASA-2014-0493 - Updated wordpress package fixes security vulnerabilities

CVEs referencing this url
http://www.securitytracker.com/id/1031243

WordPress Bugs Let Remote Users Conduct Cross-Site Scripting, Cross-Site Request Forgery, and Denial of Service Attacks - SecurityTracker

CVEs referencing this url
http://openwall.com/lists/oss-security/2014/11/25/12

oss-security - Re: WordPress 4.0.1 Security Release

CVEs referencing this url