WordPress 3.7.1 & 3.8.1 – Potential Authentication Cookie Forgery | CVE 2014-0166

Affects WordPress

3.8.1

Fixed in WordPress 3.8.2

3.7.1

Fixed in WordPress 3.7.2

References

CVE

CVE-2014-0166

URL

https://labs.mwrinfosecurity.com/blog/2014/04/11/wordpress-auth-cookie-forgery/

URL

https://github.com/WordPress/WordPress/commit/78a915e0e5927cf413aa6c2cef2fca3dc587f8be

Classification

Type

AUTHBYPASS

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CWE-287

Miscellaneous

Verified

No

WPVDB ID

846e7591-a7b9-440a-92ae-655917b4768e

Timeline

Publicly Published

2014-08-01 (about 9 years ago)

Added

2014-08-01 (about 9 years ago)

Last Updated

2020-10-25 (about 3 years ago)

Other

Published

Title

Published

2014-08-01

Title

WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass

Published

2024-05-06

Title

Edwiser Bridge < 3.0.6 - Authentication Bypass due to Missing Empty Value Check

Published

2016-05-31

Title

Stream <= 3.0.5 - Unauthenticated Events Export

Published

2022-08-09

Title

Simple Single Sign On <= 4.1.0 - Authentication Bypass

Published

2021-08-24

Title

Booster for WooCommerce < 5.4.4 - Authentication Bypass