CVE-2014-9034

WordPress Long Password DoS

Title source: metasploit
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2014-9034. PoCs published by Javer Nieto & Andres Rojas, SECURELI.com, Javier Nieto Arevalo, Andres Rojas Guerrero, rastating, including Metasploit module auxiliary/dos/http/wordpress_long_password_dos.

AI-analyzed exploit summary This exploit demonstrates a denial-of-service (DoS) vulnerability in WordPress versions prior to 4.0.1 by sending a large payload to the login endpoint, causing CPU and memory exhaustion. The PoC uses a crafted request with an excessively long password field to overwhelm the server.

Description

wp-includes/class-phpass.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to cause a denial of service (CPU consumption) via a long password that is improperly handled during hashing, a similar issue to CVE-2014-9016.

Exploits (3)

exploitdb WORKING POC
by Javer Nieto & Andres Rojas · textdosphp
https://www.exploit-db.com/exploits/35414

This exploit demonstrates a denial-of-service (DoS) vulnerability in WordPress versions prior to 4.0.1 by sending a large payload to the login endpoint, causing CPU and memory exhaustion. The PoC uses a crafted request with an excessively long password field to overwhelm the server.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: WordPress < 4.0.1
No auth needed
Prerequisites: Access to the target WordPress login page
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by SECURELI.com · phpdosphp
https://www.exploit-db.com/exploits/35413

This PoC exploits a DoS vulnerability in WordPress <= v4.0 by sending multiple POST requests with an excessively long password field, causing resource exhaustion. It uses cURL multi-handling to simulate concurrent requests.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: WordPress <= v4.0
No auth needed
Prerequisites: Target WordPress site URL · Valid username · PHP environment with cURL support
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
by Javier Nieto Arevalo, Andres Rojas Guerrero, rastating · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/http/wordpress_long_password_dos.rb

This Metasploit module exploits CVE-2014-9034, a DoS vulnerability in WordPress caused by improper handling of long passwords during hashing. It sends multiple login requests with extremely long passwords to consume CPU resources.

Classification
Working Poc 100%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1
No auth needed
Prerequisites: Target WordPress instance · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7
Core References
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2014/dsa-3085
Mailing List mailing-list x_refsource_mlist
http://openwall.com/lists/oss-security/2014/11/25/12
Vendor Advisory x_refsource_confirm
http://core.trac.wordpress.org/changeset/30467
Third Party Advisory x_refsource_confirm
http://advisories.mageia.org/MGASA-2014-0493.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1031243
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2014:233
Patch, Vendor Advisory x_refsource_confirm
https://wordpress.org/news/2014/11/wordpress-4-0-1/

Scores

EPSS 0.8316
EPSS Percentile 99.6%

Details

CWE
CWE-19
Status published
Products (10)
wordpress/wordpress 3.8
wordpress/wordpress 3.8.1
wordpress/wordpress 3.8.2
wordpress/wordpress 3.8.3
wordpress/wordpress 3.8.4
wordpress/wordpress 3.9
wordpress/wordpress 3.9.1
wordpress/wordpress 3.9.2
wordpress/wordpress 4.0
wordpress/wordpress < 3.7.4
Published Nov 25, 2014
Tracked Since Feb 18, 2026