Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2014-5204

wp-includes/pluggable.php in WordPress before 3.9.2 rejects invalid CSRF nonces with a different timing depending on which characters in the nonce are incorrect, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack.

Related bugs and status

CVE-2014-5204 (Candidate) is related to these bugs:

Bug #1395336: security fixes since 3.8.2

Summary				In	Importance	Status
	1395336	security fixes since 3.8.2		wordpress (Ubuntu)	Undecided	Invalid
	1395336	security fixes since 3.8.2		wordpress (Ubuntu Trusty)	Undecided	Fix Released

See the

CVE page on Mitre.org for more details.

References

MLIST: [oss-security] 2014081...
CONFIRM: https://core.trac.word...
CONFIRM: https://wordpress.org/...
DEBIAN: DSA-3001