Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2014-5205

wp-includes/pluggable.php in WordPress before 3.9.2 does not use delimiters during concatenation of action values and uid values in CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack.

Related bugs and status

CVE-2014-5205 (Candidate) is related to these bugs:

Bug #1395336: security fixes since 3.8.2

Summary				In	Importance	Status
	1395336	security fixes since 3.8.2		wordpress (Ubuntu)	Undecided	Invalid
	1395336	security fixes since 3.8.2		wordpress (Ubuntu Trusty)	Undecided	Fix Released

See the

CVE page on Mitre.org for more details.

References

MLIST: [oss-security] 2014081...
CONFIRM: https://core.trac.word...
CONFIRM: https://wordpress.org/...
DEBIAN: DSA-3001