CVE-2014-5240

Wordpress < 3.9.1 - XSS

Title source: rule

Description

Cross-site scripting (XSS) vulnerability in wp-includes/pluggable.php in WordPress before 3.9.2, when Multisite is enabled, allows remote authenticated administrators to inject arbitrary web script or HTML, and obtain Super Admin privileges, via a crafted avatar URL.

References (4)

[Product] https://core.trac.wordpress.org/changeset/29398

[Patch, Vendor Advisory] https://wordpress.org/news/2014/08/wordpress-3-9-2/

[Third Party Advisory] http://www.debian.org/security/2014/dsa-3001

[Mailing List] http://openwall.com/lists/oss-security/2014/08/13/3

Scores

EPSS 0.0063

EPSS Percentile 70.2%

Details

CWE

CWE-79

Status published

Products (34)

wordpress/wordpress < 3.9.1

wordpress/wordpress

... and 24 more

Published Aug 18, 2014

Tracked Since Feb 18, 2026