CVE-2014-0166
MEDIUM severity · CVSS 6.4 · Improper authentication
6.4CVSS MEDIUM
Summary
The wp_validate_auth_cookie function in wp-includes/pluggable.php in WordPress before 3.7.2 and 3.8.x before 3.8.2 does not properly determine the validity of authentication cookies, which makes it easier for remote attackers to obtain access via a forged cookie.
Impact & exploitability
Attack vectorNetwork
Attack complexityLow
Privileges required—
User interaction—
Confidentiality impact—
Integrity impact—
Availability impactNone
Exploit probability (EPSS)35%
AV:N/AC:L/Au:N/C:P/I:P/A:N
Affected products we track (1)
Recommendation
Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.
Additional information
- NVD record
- http://codex.wordpress.org/Version_3.7.2Advisory
- http://codex.wordpress.org/Version_3.8.2Advisory
- http://codex.wordpress.org/Version_3.7.2Advisory
- http://codex.wordpress.org/Version_3.8.2Advisory
- http://core.trac.wordpress.org/changeset/28054
- http://www.debian.org/security/2014/dsa-2901
- https://bugzilla.redhat.com/show_bug.cgi?id=1085858
- http://core.trac.wordpress.org/changeset/28054