CVE-2014-9034

WordPress Long Password DoS

Title source: metasploit

Description

wp-includes/class-phpass.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to cause a denial of service (CPU consumption) via a long password that is improperly handled during hashing, a similar issue to CVE-2014-9016.

Exploits (3)

exploitdb WORKING POC

by Javer Nieto & Andres Rojas · textdosphp

https://www.exploit-db.com/exploits/35414

View Code ZIP pw:eip

exploitdb WORKING POC

by SECURELI.com · phpdosphp

https://www.exploit-db.com/exploits/35413

View Code ZIP pw:eip

metasploit WORKING POC

by Javier Nieto Arevalo, Andres Rojas Guerrero, rastating · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/http/wordpress_long_password_dos.rb

View Code ZIP pw:eip

References (7)

[Third Party Advisory] http://advisories.mageia.org/MGASA-2014-0493.html

[Vendor Advisory] http://core.trac.wordpress.org/changeset/30467

[Vendor Advisory] http://www.mandriva.com/security/advisories?name=MDVSA-2014:233

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1031243

[Patch, Vendor Advisory] https://wordpress.org/news/2014/11/wordpress-4-0-1/

[Third Party Advisory] http://www.debian.org/security/2014/dsa-3085

[Mailing List] http://openwall.com/lists/oss-security/2014/11/25/12

Scores

EPSS 0.7248

EPSS Percentile 98.8%

Details

CWE

CWE-19

Status published

Products (10)

wordpress/wordpress 3.8

wordpress/wordpress 3.8.1

wordpress/wordpress 3.8.2

wordpress/wordpress 3.8.3

wordpress/wordpress 3.8.4

wordpress/wordpress 3.9

wordpress/wordpress 3.9.1

wordpress/wordpress 3.9.2

wordpress/wordpress 4.0

wordpress/wordpress < 3.7.4

Published Nov 25, 2014

Tracked Since Feb 18, 2026