CVE-2014-5265
WordPress < 3.9.2 - Denial of Service via XML Entity Expansion
Title source: llmDescription
The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, permits entity declarations without considering recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
References (6)
Core 6
Core References
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2014/dsa-3001
Patch, Vendor Advisory x_refsource_confirm
https://wordpress.org/news/2014/08/wordpress-3-9-2/
Patch, Vendor Advisory x_refsource_confirm
https://www.drupal.org/SA-CORE-2014-004
Various Sources x_refsource_confirm
http://cgit.drupalcode.org/drupal/diff/includes/xmlrpc.inc?id=1849830
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2014/dsa-2999
Product x_refsource_confirm
https://core.trac.wordpress.org/changeset/29404
Scores
EPSS
0.0702
EPSS Percentile
91.6%
Details
CWE
CWE-399
Status
published
Products (35)
debian/debian_linux
7.0
drupal/drupal
6.0 (10 CPE variants)
drupal/drupal
6.1
drupal/drupal
6.2
drupal/drupal
6.3
drupal/drupal
6.4
drupal/drupal
6.5
drupal/drupal
6.6
drupal/drupal
6.7
drupal/drupal
6.8
... and 25 more
Published
Aug 18, 2014
Tracked Since
Feb 18, 2026