CVE-2014-5203 - wp-includes/class-wp-customize-widgets.php in the widget implementation in WordPress 3.9.x before 3.

CVE-2014-5203

Summary

wp-includes/class-wp-customize-widgets.php in the widget implementation in WordPress 3.9.x before 3.9.2 might allow remote attackers to execute arbitrary code via crafted serialized data.

References

http://openwall.com/lists/oss-security/2014/08/13/3
https://core.trac.wordpress.org/changeset/29389
https://wordpress.org/news/2014/08/wordpress-3-9-2/

Vulnerable Configurations

cpe:2.3:a:wordpress:wordpress:3.9.0:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:3.9.0:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:3.9.1:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:3.9.1:*:*:*:*:*:*:*

CVSS

Base:	7.5 (as of 28-08-2014 - 18:06)
Impact:
Exploitability:

CWE

NVD-CWE-noinfo

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:P

refmap via4

confirm	https://core.trac.wordpress.org/changeset/29389 https://wordpress.org/news/2014/08/wordpress-3-9-2/
mlist	[oss-security] 20140813 Re: WordPress 3.9.2 release - needs CVE's

Last major update

28-08-2014 - 18:06

Published

18-08-2014 - 11:15

Last modified

28-08-2014 - 18:06