Description
WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to obtain access to an account idle since 2008 by leveraging an improper PHP dynamic type comparison for an MD5 hash.
References (6)
Core 6
Core References
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2014/dsa-3085
Mailing List mailing-list
x_refsource_mlist
http://openwall.com/lists/oss-security/2014/11/25/12
Third Party Advisory x_refsource_confirm
http://advisories.mageia.org/MGASA-2014-0493.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1031243
Vendor Advisory vendor-advisory
x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2014:233
Patch, Vendor Advisory x_refsource_confirm
https://wordpress.org/news/2014/11/wordpress-4-0-1/
Scores
EPSS
0.0262
EPSS Percentile
85.8%
Details
CWE
CWE-310
Status
published
Products (14)
debian/debian_linux
7.0
debian/debian_linux
8.0
mageia_project/mageia
3
mageia_project/mageia
4
wordpress/wordpress
3.8
wordpress/wordpress
3.8.1
wordpress/wordpress
3.8.2
wordpress/wordpress
3.8.3
wordpress/wordpress
3.8.4
wordpress/wordpress
3.9
... and 4 more
Published
Nov 25, 2014
Tracked Since
Feb 18, 2026