CVE-2014-5266

WordPress < 3.9.2 - Denial of Service via Large XML Document in IXR Library

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-5266. PoCs published by Nir Goldshlager, Christian Mehlmauer, including Metasploit module auxiliary/dos/http/wordpress_xmlrpc_dos.

AI-analyzed exploit summary This Metasploit module exploits a denial-of-service vulnerability in WordPress XMLRPC parsing by sending maliciously crafted XML payloads that consume excessive memory. It fingerprints the target's memory limits and sends multiple requests to trigger a crash.

Description

The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote attackers to cause a denial of service (CPU consumption) via a large document, a different vulnerability than CVE-2014-5265.

Exploits (1)

metasploit WORKING POC

by Nir Goldshlager, Christian Mehlmauer · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/http/wordpress_xmlrpc_dos.rb

View Code ZIP pw:eip

This Metasploit module exploits a denial-of-service vulnerability in WordPress XMLRPC parsing by sending maliciously crafted XML payloads that consume excessive memory. It fingerprints the target's memory limits and sends multiple requests to trigger a crash.

Classification

Working Poc 100%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: WordPress 3.5 - 3.9.2 (excluding patched versions 3.8.4 and 3.7.4)

No auth needed

Prerequisites: Access to the WordPress XMLRPC endpoint

MITRE ATT&CK