CVE-2014-9016

Drupal 7.x < 7.34 and Secure Password Hashes 6.x-2.x < 6.x-2.1 - Denial of Service via Password Hashing API

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2014-9016. PoCs published by Javer Nieto & Andres Rojas, c0r3dump3d, Primus27, including Metasploit module auxiliary/dos/http/wordpress_long_password_dos.

AI-analyzed exploit summary This exploit demonstrates a denial-of-service (DoS) vulnerability in Drupal < 7.34 by sending specially crafted requests with a large payload to exhaust CPU and memory resources. The PoC uses a valid user login request with an excessively long password field to trigger the vulnerability.

Description

The password hashing API in Drupal 7.x before 7.34 and the Secure Password Hashes (aka phpass) module 6.x-2.x before 6.x-2.1 for Drupal allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted request.

Exploits (4)

exploitdb WORKING POC
by Javer Nieto & Andres Rojas · textdosphp
https://www.exploit-db.com/exploits/35415

This exploit demonstrates a denial-of-service (DoS) vulnerability in Drupal < 7.34 by sending specially crafted requests with a large payload to exhaust CPU and memory resources. The PoC uses a valid user login request with an excessively long password field to trigger the vulnerability.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Drupal < 7.34
Auth required
Prerequisites: Valid user credentials · Access to the target Drupal site
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 13 stars
by c0r3dump3d · poc
https://github.com/c0r3dump3d/wp_drupal_timing_attack

This repository contains a Python script that exploits CVE-2014-9016, a timing attack vulnerability in Drupal 6.* (with phpass module) and 7.* for user enumeration. The script can also attempt a DoS attack by flooding the server with login requests.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Drupal 6.* (with phpass module), Drupal 7.*
No auth needed
Prerequisites: Target URL · List of usernames or a single username to test
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Primus27 · poc
https://github.com/Primus27/WordPress-Long-Password-Denial-of-Service

This repository contains a functional proof-of-concept exploit for CVE-2014-9016, a denial-of-service vulnerability in WordPress versions prior to 5.0.1. The exploit automates the submission of excessively long passwords to the WordPress login page, causing the service to become unresponsive.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: WordPress <5.0.1
No auth needed
Prerequisites: Python 3.6+ · Selenium · Firefox · Target WordPress instance with version <5.0.1
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
by Javier Nieto Arevalo, Andres Rojas Guerrero, rastating · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/http/wordpress_long_password_dos.rb

This Metasploit module exploits CVE-2014-9016 by sending multiple login requests with an extremely long password to WordPress, causing excessive CPU consumption due to improper password hashing. The module validates the target username and executes concurrent requests to amplify the DoS effect.

Classification
Working Poc 100%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1
No auth needed
Prerequisites: Valid WordPress username (optional validation)
devstral-2 · analyzed Jun 05, 2026 Full analysis →

References (9)

Core 9
Core References
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2014/11/20/3
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2014/11/20/21
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/59164
Patch, Vendor Advisory x_refsource_misc
https://www.drupal.org/node/2378367
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2014/11/21/1
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/59814
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2014/dsa-3075
Patch, Vendor Advisory x_refsource_confirm
https://www.drupal.org/node/2378375
Vendor Advisory x_refsource_confirm
https://www.drupal.org/SA-CORE-2014-006

Scores

EPSS 0.8270
EPSS Percentile 99.6%

Details

Status published
Products (3)
debian/debian_linux 7.0
drupal/drupal 7.0 - 7.34
secure_password_hashes_project/secure_passwords_hashes 6.x-2.0 - 6.x-2.1
Published Nov 24, 2014
Tracked Since Feb 18, 2026