Cross-site request forgery (CSRF) vulnerability in wp-login.php in WordPress 3.7.4, 3.8.4, 3.9.2, and 4.0 allows remote attackers to hijack the authentication of arbitrary users for requests that reset passwords.
| Max Base Score | 6.8 |
| Published | 2014-11-25 |
| Updated | 2015-11-02 |
| EPSS | 0.29% |
wp-includes/pluggable.php in WordPress before 3.9.2 does not use delimiters during concatenation of action values and uid values in CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack.
| Max Base Score | 6.8 |
| Published | 2014-08-18 |
| Updated | 2014-11-14 |
| EPSS | 0.16% |
wp-includes/pluggable.php in WordPress before 3.9.2 rejects invalid CSRF nonces with a different timing depending on which characters in the nonce are incorrect, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack.
| Max Base Score | 6.8 |
| Published | 2014-08-18 |
| Updated | 2015-11-25 |
| EPSS | 0.15% |
3 vulnerabilities found