What is CVE-2014-6412?

CVE-2014-6412 is a high-severity software vulnerability (CWE-640) with a CVSS score of 8.1. WordPress before 4.4 makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach.

Is CVE-2014-6412 being actively exploited?

It is not currently in CISA's KEV catalog. Its EPSS exploitation probability is 5%.

What products does CVE-2014-6412 affect?

Tracked products affected include WordPress. Check the version you run to see whether it is affected.

How do I fix CVE-2014-6412?

Apply the vendor fix promptly. Upgrade affected products to a fixed version.

← All products

CVE-2014-6412

HIGH severity · CVSS 8.1 · CWE-640

8.1CVSS HIGH

Summary

WordPress before 4.4 makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach.

Impact & exploitability

Attack vectorNetwork

Attack complexityHigh

Privileges requiredNone

User interactionNone

Confidentiality impactHigh

Integrity impactHigh

Availability impactHigh

Exploit probability (EPSS)5%

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products we track (1)

WordPress

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Additional information

NVD record
https://core.trac.wordpress.org/ticket/28633Advisory
http://packetstormsecurity.com/files/130380/WordPress-Failed-Randomness.htmlAdvisory
http://seclists.org/fulldisclosure/2015/Feb/42Advisory
http://seclists.org/fulldisclosure/2015/Feb/53Advisory
http://www.securityfocus.com/bid/72589Advisory
http://www.securitytracker.com/id/1031749Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1192474Advisory