ID CVE-2014-5266
Summary The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote attackers to cause a denial of service (CPU consumption) via a large document, a different vulnerability than CVE-2014-5265.
References
Vulnerable Configurations
  • WordPress 3.0
    cpe:2.3:a:wordpress:wordpress:3.0
  • WordPress 3.0.1
    cpe:2.3:a:wordpress:wordpress:3.0.1
  • WordPress 3.0.2
    cpe:2.3:a:wordpress:wordpress:3.0.2
  • WordPress 3.0.3
    cpe:2.3:a:wordpress:wordpress:3.0.3
  • WordPress 3.0.4
    cpe:2.3:a:wordpress:wordpress:3.0.4
  • WordPress 3.0.5
    cpe:2.3:a:wordpress:wordpress:3.0.5
  • WordPress 3.0.6
    cpe:2.3:a:wordpress:wordpress:3.0.6
  • WordPress 3.1
    cpe:2.3:a:wordpress:wordpress:3.1
  • WordPress 3.1.1
    cpe:2.3:a:wordpress:wordpress:3.1.1
  • WordPress 3.1.2
    cpe:2.3:a:wordpress:wordpress:3.1.2
  • WordPress 3.1.3
    cpe:2.3:a:wordpress:wordpress:3.1.3
  • WordPress 3.1.4
    cpe:2.3:a:wordpress:wordpress:3.1.4
  • WordPress 3.2
    cpe:2.3:a:wordpress:wordpress:3.2
  • WordPress 3.2 Beta 1
    cpe:2.3:a:wordpress:wordpress:3.2:beta1
  • WordPress 3.2.1
    cpe:2.3:a:wordpress:wordpress:3.2.1
  • WordPress 3.3
    cpe:2.3:a:wordpress:wordpress:3.3
  • WordPress 3.3.1
    cpe:2.3:a:wordpress:wordpress:3.3.1
  • WordPress 3.3.2
    cpe:2.3:a:wordpress:wordpress:3.3.2
  • WordPress 3.3.3
    cpe:2.3:a:wordpress:wordpress:3.3.3
  • WordPress 3.4.0
    cpe:2.3:a:wordpress:wordpress:3.4.0
  • WordPress 3.4.1
    cpe:2.3:a:wordpress:wordpress:3.4.1
  • WordPress 3.4.2
    cpe:2.3:a:wordpress:wordpress:3.4.2
  • WordPress 3.5.0
    cpe:2.3:a:wordpress:wordpress:3.5.0
  • WordPress 3.5.1
    cpe:2.3:a:wordpress:wordpress:3.5.1
  • WordPress 3.6
    cpe:2.3:a:wordpress:wordpress:3.6
  • WordPress 3.6.1
    cpe:2.3:a:wordpress:wordpress:3.6.1
  • WordPress 3.7
    cpe:2.3:a:wordpress:wordpress:3.7
  • WordPress 3.7.1
    cpe:2.3:a:wordpress:wordpress:3.7.1
  • WordPress 3.8
    cpe:2.3:a:wordpress:wordpress:3.8
  • WordPress 3.8.1
    cpe:2.3:a:wordpress:wordpress:3.8.1
  • WordPress 3.9.0
    cpe:2.3:a:wordpress:wordpress:3.9.0
  • WordPress 3.9.1
    cpe:2.3:a:wordpress:wordpress:3.9.1
  • Drupal 7.30
    cpe:2.3:a:drupal:drupal:7.30
  • Drupal 7.0
    cpe:2.3:a:drupal:drupal:7.0
  • Drupal 7.0 alpha1
    cpe:2.3:a:drupal:drupal:7.0:alpha1
  • Drupal 7.0 alpha2
    cpe:2.3:a:drupal:drupal:7.0:alpha2
  • Drupal 7.0 alpha3
    cpe:2.3:a:drupal:drupal:7.0:alpha3
  • Drupal 7.0 alpha4
    cpe:2.3:a:drupal:drupal:7.0:alpha4
  • Drupal 7.0 alpha5
    cpe:2.3:a:drupal:drupal:7.0:alpha5
  • Drupal 7.0 alpha6
    cpe:2.3:a:drupal:drupal:7.0:alpha6
  • Drupal 7.0 alpha7
    cpe:2.3:a:drupal:drupal:7.0:alpha7
  • Drupal 7.0 Beta 1
    cpe:2.3:a:drupal:drupal:7.0:beta1
  • Drupal 7.0 Beta 2
    cpe:2.3:a:drupal:drupal:7.0:beta2
  • Drupal 7.0 Beta 3
    cpe:2.3:a:drupal:drupal:7.0:beta3
  • Drupal 7.0 dev
    cpe:2.3:a:drupal:drupal:7.0:dev
  • Drupal 7.0 Release Candidate 1
    cpe:2.3:a:drupal:drupal:7.0:rc1
  • Drupal 7.0 Release Candidate 2
    cpe:2.3:a:drupal:drupal:7.0:rc2
  • Drupal 7.0 Release Candidate 3
    cpe:2.3:a:drupal:drupal:7.0:rc3
  • Drupal 7.0 Release Candidate 4
    cpe:2.3:a:drupal:drupal:7.0:rc4
  • Drupal 7.1
    cpe:2.3:a:drupal:drupal:7.1
  • Drupal 7.10
    cpe:2.3:a:drupal:drupal:7.10
  • Drupal 7.11
    cpe:2.3:a:drupal:drupal:7.11
  • Drupal 7.12
    cpe:2.3:a:drupal:drupal:7.12
  • Drupal 7.13
    cpe:2.3:a:drupal:drupal:7.13
  • Drupal 7.14
    cpe:2.3:a:drupal:drupal:7.14
  • Drupal 7.15
    cpe:2.3:a:drupal:drupal:7.15
  • Drupal 7.16
    cpe:2.3:a:drupal:drupal:7.16
  • Drupal 7.17
    cpe:2.3:a:drupal:drupal:7.17
  • Drupal 7.18
    cpe:2.3:a:drupal:drupal:7.18
  • Drupal 7.19
    cpe:2.3:a:drupal:drupal:7.19
  • Drupal 7.2
    cpe:2.3:a:drupal:drupal:7.2
  • Drupal 7.20
    cpe:2.3:a:drupal:drupal:7.20
  • Drupal 7.21
    cpe:2.3:a:drupal:drupal:7.21
  • Drupal 7.22
    cpe:2.3:a:drupal:drupal:7.22
  • Drupal 7.23
    cpe:2.3:a:drupal:drupal:7.23
  • Drupal 7.24
    cpe:2.3:a:drupal:drupal:7.24
  • Drupal 7.25
    cpe:2.3:a:drupal:drupal:7.25
  • Drupal 7.26
    cpe:2.3:a:drupal:drupal:7.26
  • Drupal 7.27
    cpe:2.3:a:drupal:drupal:7.27
  • Drupal 7.28
    cpe:2.3:a:drupal:drupal:7.28
  • Drupal 7.29
    cpe:2.3:a:drupal:drupal:7.29
  • Drupal 7.3
    cpe:2.3:a:drupal:drupal:7.3
  • Drupal 7.4
    cpe:2.3:a:drupal:drupal:7.4
  • Drupal 7.5
    cpe:2.3:a:drupal:drupal:7.5
  • Drupal 7.6
    cpe:2.3:a:drupal:drupal:7.6
  • Drupal 7.7
    cpe:2.3:a:drupal:drupal:7.7
  • Drupal 7.8
    cpe:2.3:a:drupal:drupal:7.8
  • Drupal 7.9
    cpe:2.3:a:drupal:drupal:7.9
  • Drupal 7.x-dev
    cpe:2.3:a:drupal:drupal:7.x-dev
  • Drupal 6.0
    cpe:2.3:a:drupal:drupal:6.0
  • Drupal 6.0 beta1
    cpe:2.3:a:drupal:drupal:6.0:beta1
  • Drupal 6.0 beta2
    cpe:2.3:a:drupal:drupal:6.0:beta2
  • Drupal 6.0 beta3
    cpe:2.3:a:drupal:drupal:6.0:beta3
  • Drupal 6.0 beta4
    cpe:2.3:a:drupal:drupal:6.0:beta4
  • Drupal 6.0 dev
    cpe:2.3:a:drupal:drupal:6.0:dev
  • Drupal 6.0 release candidate 1
    cpe:2.3:a:drupal:drupal:6.0:rc1
  • Drupal 6.0 release candidate 2
    cpe:2.3:a:drupal:drupal:6.0:rc2
  • Drupal 6.0 release candidate 3
    cpe:2.3:a:drupal:drupal:6.0:rc3
  • Drupal 6.0 release candidate 4
    cpe:2.3:a:drupal:drupal:6.0:rc4
  • Drupal 6.1
    cpe:2.3:a:drupal:drupal:6.1
  • Drupal 6.10
    cpe:2.3:a:drupal:drupal:6.10
  • Drupal 6.11
    cpe:2.3:a:drupal:drupal:6.11
  • Drupal 6.12
    cpe:2.3:a:drupal:drupal:6.12
  • Drupal 6.13
    cpe:2.3:a:drupal:drupal:6.13
  • Drupal 6.14
    cpe:2.3:a:drupal:drupal:6.14
  • Drupal 6.15
    cpe:2.3:a:drupal:drupal:6.15
  • Drupal 6.16
    cpe:2.3:a:drupal:drupal:6.16
  • Drupal 6.17
    cpe:2.3:a:drupal:drupal:6.17
  • Drupal 6.18
    cpe:2.3:a:drupal:drupal:6.18
  • Drupal 6.19
    cpe:2.3:a:drupal:drupal:6.19
  • Drupal 6.2
    cpe:2.3:a:drupal:drupal:6.2
  • Drupal 6.20
    cpe:2.3:a:drupal:drupal:6.20
  • Drupal 6.21
    cpe:2.3:a:drupal:drupal:6.21
  • Drupal 6.22
    cpe:2.3:a:drupal:drupal:6.22
  • Drupal 6.23
    cpe:2.3:a:drupal:drupal:6.23
  • Drupal 6.24
    cpe:2.3:a:drupal:drupal:6.24
  • Drupal 6.25
    cpe:2.3:a:drupal:drupal:6.25
  • Drupal 6.26
    cpe:2.3:a:drupal:drupal:6.26
  • Drupal 6.27
    cpe:2.3:a:drupal:drupal:6.27
  • Drupal 6.28
    cpe:2.3:a:drupal:drupal:6.28
  • Drupal 6.29
    cpe:2.3:a:drupal:drupal:6.29
  • Drupal 6.3
    cpe:2.3:a:drupal:drupal:6.3
  • Drupal 6.30
    cpe:2.3:a:drupal:drupal:6.30
  • Drupal 6.31
    cpe:2.3:a:drupal:drupal:6.31
  • Drupal 6.32
    cpe:2.3:a:drupal:drupal:6.32
  • Drupal 6.9
    cpe:2.3:a:drupal:drupal:6.9
  • Drupal 6.8
    cpe:2.3:a:drupal:drupal:6.8
  • Drupal 6.7
    cpe:2.3:a:drupal:drupal:6.7
  • Drupal 6.6
    cpe:2.3:a:drupal:drupal:6.6
  • Drupal 6.5
    cpe:2.3:a:drupal:drupal:6.5
  • Drupal 6.4
    cpe:2.3:a:drupal:drupal:6.4
  • Debian Linux 7.0
    cpe:2.3:o:debian:debian_linux:7.0
CVSS
Base: 5.0 (as of 25-11-2015 - 14:02)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
metasploit via4
description Wordpress XMLRPC parsing is vulnerable to a XML based denial of service. This vulnerability affects Wordpress 3.5 - 3.9.2 (3.8.4 and 3.7.4 are also patched).
id MSF:AUXILIARY/DOS/HTTP/WORDPRESS_XMLRPC_DOS
last seen 2019-03-24
modified 2018-07-12
published 2014-08-07
reliability Normal
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/http/wordpress_xmlrpc_dos.rb
title Wordpress XMLRPC DoS
nessus via4
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3001.NASL
    description Multiple security issues have been discovered in Wordpress, a web blogging tool, resulting in denial of service or information disclosure. More information can be found in the upstream advisory at https://wordpress.org/news/2014/08/wordpress-3-9-2/.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 77102
    published 2014-08-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77102
    title Debian DSA-3001-1 : wordpress - security update
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-9278.NASL
    description Update to upstream 7.31 release for SA-CORE-2014-004 This is a bugfix release. For complete details, refer to: https://www.drupal.org/drupal-7.30-release-notes Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-24
    plugin id 77314
    published 2014-08-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77314
    title Fedora 20 : drupal7-7.31-1.fc20 (2014-9278)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-56.NASL
    description Multiple security issues have been discovered in Wordpress, a web blogging tool, resulting in denial of service or information disclosure. More information can be found in the upstream advisory at https://wordpress.org/news/2014/08/wordpress-3-9-2/ NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-06
    plugin id 82202
    published 2015-03-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82202
    title Debian DLA-56-1 : wordpress security update
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-9277.NASL
    description Update to upstream 7.31 release for SA-CORE-2014-004 This is a bugfix release. For complete details refer to: https://www.drupal.org/drupal-7.30-release-notes Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-24
    plugin id 77313
    published 2014-08-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77313
    title Fedora 19 : drupal7-7.31-1.fc19 (2014-9277)
  • NASL family CGI abuses
    NASL id DRUPAL_7_31.NASL
    description The remote web server is running a version of Drupal that is 6.x prior to 6.33 or 7.x prior to 7.31. It is, therefore, potentially affected by multiple denial of service vulnerabilities : - The XML-RPC library in Drupal allows entity declarations without considering recursion during entity expansion. A remote attacker, using a crafted XML document with a large number of nested entity references, can cause a denial of service by consuming available memory and CPU resources. (CVE-2014-5265) - The XML-RPC library in Drupal does not limit the number of elements in an XML document. A remote attacker, via a large document, could cause a denial of service by CPU consumption. (CVE-2014-5266) - An XML injection flaw exists in 'xmlrpc.php' due to the parser accepting XML internal entities from untrusted sources. A remote attacker, via specially crafted XML data, could exploit this to cause a denial of service. This vulnerability also exists within the Drupal OpenID module. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 77186
    published 2014-08-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77186
    title Drupal 6.x < 6.33 / 7.x < 7.31 XML-RPC DoS
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-9264.NASL
    description Upstream announcement: http://wordpress.org/news/2014/08/wordpress-3-9-2/ Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 77312
    published 2014-08-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77312
    title Fedora 20 : wordpress-3.9.2-3.fc20 (2014-9264)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2999.NASL
    description A denial of service vulnerability was discovered in Drupal, a fully-featured content management framework. A remote attacker could exploit this flaw to cause CPU and memory exhaustion and the site's database to reach the maximum number of open connections, leading to the site becoming unavailable or unresponsive. More information can be found at https://www.drupal.org/SA-CORE-2014-004.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 77100
    published 2014-08-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77100
    title Debian DSA-2999-1 : drupal7 - security update
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-9281.NASL
    description - Update to Drupal 6.33. - Drupal 6.33 release notes can be found here, https://www.drupal.org/drupal-6.33-release-notes. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 77948
    published 2014-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77948
    title Fedora 20 : drupal6-6.33-1.fc20 (2014-9281)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-9270.NASL
    description Upstream announcement: http://wordpress.org/news/2014/08/wordpress-3-9-2/ Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 77347
    published 2014-08-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77347
    title Fedora 19 : wordpress-3.9.2-3.fc19 (2014-9270)
  • NASL family CGI abuses
    NASL id WORDPRESS_3_9_2.NASL
    description According to its version number, the WordPress application hosted on the remote web server is affected by multiple vulnerabilities : - An XML injection flaw exists within 'getid3.lib.php' due to the parser accepting XML external entities from untrusted sources. Using specially crafted XML data, a remote attacker could access sensitive information or cause a denial of service. This affects versions 3.6 - 3.9.1, except 3.7.4 and 3.8.4. - An XML injection flaw exists within 'xmlrpc.php' due to the parser accepting XML internal entities without properly validating them. Using specially crafted XML data, a remote attacker could cause a denial of service. This affects versions 1.5 - 3.9.1, except 3.7.4 and 3.8.4. - An unsafe serialization flaw exists in the script '/src/wp-includes/class-wp-customize-widgets.php' when processing widgets. This could allow a remote attacker to execute arbitrary code. Versions 3.9 and 3.9.1 non-default configurations are affected. - A flaw exists when building CSRF tokens due to it not separating pieces by delimiter and not comparing nonces in a time-constant manner. This could allow a remote attacker to conduct a brute force attack and potentially disclose the CSRF token. This affects versions 2.0.3 - 3.9.1, except 3.7.4 and 3.8.4. - A cross-site scripting flaw exists in the function 'get_avatar' within the '/src/wp-includes/pluggable.php' script where input from the avatars is not validated before returning it to the user. Using a specially crafted request, an authenticated attacker could execute arbitrary script code within the browser / server trust relationship. This affects version 3.9.1. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 77157
    published 2014-08-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77157
    title WordPress < 3.7.4 / 3.8.4 / 3.9.2 Multiple Vulnerabilities
refmap via4
confirm
debian
  • DSA-2999
  • DSA-3001
Last major update 25-11-2015 - 15:39
Published 18-08-2014 - 07:15
Back to Top