CVE-2014-9039
NONE
Published Nov 25, 201411y ago · Modified Jun 17, 20262w ago
Published Nov 25, 2014 11y ago
Last Modified Jun 17, 2026 2w ago
Description
wp-login.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to reset passwords by leveraging access to an e-mail account that received a password-reset message.
Threat Intelligence
No active exploitation signals — not in CISA KEV and no EPSS score yet.
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-254
Affected Products 14
| Vendor | Product | Version | Range |
|---|---|---|---|
| debian | debian_linux | 7.0 | any |
| debian | debian_linux | 8.0 | any |
| mageia_project | mageia | 3 | any |
| mageia_project | mageia | 4 | any |
| wordpress | wordpress | * | ≤3.7.4 |
| wordpress | wordpress | 3.8 | any |
| wordpress | wordpress | 3.8.1 | any |
| wordpress | wordpress | 3.8.2 | any |
| wordpress | wordpress | 3.8.3 | any |
| wordpress | wordpress | 3.8.4 | any |
| wordpress | wordpress | 3.9 | any |
| wordpress | wordpress | 3.9.1 | any |
| wordpress | wordpress | 3.9.2 | any |
| wordpress | wordpress | 4.0 | any |
References 7
- advisories.mageia.org http://advisories.mageia.org/MGASA-2014-0493.html
- core.trac.wordpress.org http://core.trac.wordpress.org/changeset/30431
- openwall.com http://openwall.com/lists/oss-security/2014/11/25/12
- debian.org http://www.debian.org/security/2014/dsa-3085
- mandriva.com http://www.mandriva.com/security/advisories?name=MDVSA-2014:233
- securitytracker.com http://www.securitytracker.com/id/1031243
- wordpress.org https://wordpress.org/news/2014/11/wordpress-4-0-1/
Remediation
- wordpress.org https://wordpress.org/news/2014/11/wordpress-4-0-1/