CVE-2014-5266

Wordpress < 3.9.1 - Resource Management Error

Title source: rule

Description

The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote attackers to cause a denial of service (CPU consumption) via a large document, a different vulnerability than CVE-2014-5265.

Exploits (1)

metasploit WORKING POC

by Nir Goldshlager, Christian Mehlmauer · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/http/wordpress_xmlrpc_dos.rb

View Code ZIP pw:eip

References (7)

[Various Sources] http://cgit.drupalcode.org/drupal/diff/includes/xmlrpc.inc?id=1849830

[Various Sources] http://cgit.drupalcode.org/drupal/diff/modules/openid/xrds.inc?id=1849830

[Product] https://core.trac.wordpress.org/changeset/29404

[Vendor Advisory] https://wordpress.org/news/2014/08/wordpress-3-9-2/

[Vendor Advisory] https://www.drupal.org/SA-CORE-2014-004

[Third Party Advisory] http://www.debian.org/security/2014/dsa-2999

[Third Party Advisory] http://www.debian.org/security/2014/dsa-3001

Scores

EPSS 0.7631

EPSS Percentile 98.9%

Details

CWE

CWE-399

Status published

Products (35)

debian/debian_linux 7.0

drupal/drupal 6.0 (10 CPE variants)

drupal/drupal 6.1

drupal/drupal 6.2

drupal/drupal 6.3

drupal/drupal 6.4

drupal/drupal 6.5

drupal/drupal 6.6

drupal/drupal 6.7

drupal/drupal 6.8

... and 25 more

Published Aug 18, 2014

Tracked Since Feb 18, 2026