CVE-2014-0166

WordPress <3.7.2, <3.8.2 - Info Disclosure

Title source: llm

Description

The wp_validate_auth_cookie function in wp-includes/pluggable.php in WordPress before 3.7.2 and 3.8.x before 3.8.2 does not properly determine the validity of authentication cookies, which makes it easier for remote attackers to obtain access via a forged cookie.

Exploits (1)

nomisec WORKING POC 5 stars

by Ettack · poc

https://github.com/Ettack/POC-CVE-2014-0166

View Code ZIP pw:eip

References (5)

[Vendor Advisory] http://codex.wordpress.org/Version_3.7.2

[Vendor Advisory] http://codex.wordpress.org/Version_3.8.2

[Product] http://core.trac.wordpress.org/changeset/28054

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=1085858

[Third Party Advisory] http://www.debian.org/security/2014/dsa-2901

Scores

EPSS 0.3159

EPSS Percentile 96.7%

Classification

CWE

CWE-287

Status draft

Affected Products (50)

wordpress/wordpress < 3.7.1

wordpress/wordpress

wordpress/wordpress

wordpress/wordpress

wordpress/wordpress

wordpress/wordpress

wordpress/wordpress

wordpress/wordpress

wordpress/wordpress

wordpress/wordpress

wordpress/wordpress

wordpress/wordpress

wordpress/wordpress

wordpress/wordpress

wordpress/wordpress

... and 35 more

Timeline

Published Apr 10, 2014

Tracked Since Feb 18, 2026