CVE-2014-0166

The wp_validate_auth_cookie function in wp-includes/pluggable.php in WordPress before 3.7.2 and 3.8.x before 3.8.2 does not properly determine the validity of authentication cookies, which makes it easier for remote attackers to obtain access via a forged cookie.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Name	Vendor	Start Version	End Version
Wordpress	Wordpress	0.71	0.71
Wordpress	Wordpress	1.0	1.0
Wordpress	Wordpress	1.0.1	1.0.1
Wordpress	Wordpress	1.0.2	1.0.2
Wordpress	Wordpress	1.1.1	1.1.1
Wordpress	Wordpress	1.2	1.2
Wordpress	Wordpress	1.2.1	1.2.1
Wordpress	Wordpress	1.2.2	1.2.2
Wordpress	Wordpress	1.2.3	1.2.3
Wordpress	Wordpress	1.2.4	1.2.4
Wordpress	Wordpress	1.2.5	1.2.5
Wordpress	Wordpress	1.2.5	1.2.5
Wordpress	Wordpress	1.3	1.3
Wordpress	Wordpress	1.3.2	1.3.2
Wordpress	Wordpress	1.3.3	1.3.3
Wordpress	Wordpress	1.5	1.5
Wordpress	Wordpress	1.5.1	1.5.1
Wordpress	Wordpress	1.5.1.1	1.5.1.1
Wordpress	Wordpress	1.5.1.2	1.5.1.2
Wordpress	Wordpress	1.5.1.3	1.5.1.3
Wordpress	Wordpress	1.5.2	1.5.2
Wordpress	Wordpress	1.6.2	1.6.2
Wordpress	Wordpress	2.0	2.0
Wordpress	Wordpress	2.0.1	2.0.1
Wordpress	Wordpress	2.0.2	2.0.2
Wordpress	Wordpress	2.0.4	2.0.4
Wordpress	Wordpress	2.0.5	2.0.5
Wordpress	Wordpress	2.0.6	2.0.6
Wordpress	Wordpress	2.0.7	2.0.7
Wordpress	Wordpress	2.0.8	2.0.8
Wordpress	Wordpress	2.0.9	2.0.9
Wordpress	Wordpress	2.0.10	2.0.10
Wordpress	Wordpress	2.0.11	2.0.11
Wordpress	Wordpress	2.1	2.1
Wordpress	Wordpress	2.1.1	2.1.1
Wordpress	Wordpress	2.1.2	2.1.2
Wordpress	Wordpress	2.1.3	2.1.3
Wordpress	Wordpress	2.2	2.2
Wordpress	Wordpress	2.2.1	2.2.1
Wordpress	Wordpress	2.2.2	2.2.2
Wordpress	Wordpress	2.2.3	2.2.3
Wordpress	Wordpress	2.3	2.3
Wordpress	Wordpress	2.3.1	2.3.1
Wordpress	Wordpress	2.3.2	2.3.2
Wordpress	Wordpress	2.3.3	2.3.3
Wordpress	Wordpress	2.5	2.5
Wordpress	Wordpress	2.5.1	2.5.1
Wordpress	Wordpress	2.6	2.6
Wordpress	Wordpress	2.6.1	2.6.1
Wordpress	Wordpress	2.6.2	2.6.2
Wordpress	Wordpress	2.6.3	2.6.3
Wordpress	Wordpress	2.6.5	2.6.5
Wordpress	Wordpress	2.7	2.7
Wordpress	Wordpress	2.7.1	2.7.1
Wordpress	Wordpress	2.8	2.8
Wordpress	Wordpress	2.8.1	2.8.1
Wordpress	Wordpress	2.8.2	2.8.2
Wordpress	Wordpress	2.8.3	2.8.3
Wordpress	Wordpress	2.8.4	2.8.4
Wordpress	Wordpress	2.8.4	2.8.4
Wordpress	Wordpress	2.8.5	2.8.5
Wordpress	Wordpress	2.8.5.1	2.8.5.1
Wordpress	Wordpress	2.8.5.2	2.8.5.2
Wordpress	Wordpress	2.8.6	2.8.6
Wordpress	Wordpress	2.9	2.9
Wordpress	Wordpress	2.9.1	2.9.1
Wordpress	Wordpress	2.9.1.1	2.9.1.1
Wordpress	Wordpress	2.9.2	2.9.2
Wordpress	Wordpress	3.0	3.0
Wordpress	Wordpress	3.0.1	3.0.1
Wordpress	Wordpress	3.0.2	3.0.2
Wordpress	Wordpress	3.0.3	3.0.3
Wordpress	Wordpress	3.0.4	3.0.4
Wordpress	Wordpress	3.0.5	3.0.5
Wordpress	Wordpress	3.0.6	3.0.6
Wordpress	Wordpress	3.1	3.1
Wordpress	Wordpress	3.1.1	3.1.1
Wordpress	Wordpress	3.1.2	3.1.2
Wordpress	Wordpress	3.1.3	3.1.3
Wordpress	Wordpress	3.1.4	3.1.4
Wordpress	Wordpress	3.2	3.2
Wordpress	Wordpress	3.2	3.2
Wordpress	Wordpress	3.2.1	3.2.1
Wordpress	Wordpress	3.3	3.3
Wordpress	Wordpress	3.3.1	3.3.1
Wordpress	Wordpress	3.3.2	3.3.2
Wordpress	Wordpress	3.3.3	3.3.3
Wordpress	Wordpress	3.4.0	3.4.0
Wordpress	Wordpress	3.4.1	3.4.1
Wordpress	Wordpress	3.4.2	3.4.2
Wordpress	Wordpress	3.5.0	3.5.0
Wordpress	Wordpress	3.5.1	3.5.1
Wordpress	Wordpress	3.6	3.6
Wordpress	Wordpress	3.6.1	3.6.1
Wordpress	Wordpress	3.7	3.7
Wordpress	Wordpress	*	3.7.1
Wordpress	Wordpress	3.8	3.8
Wordpress	Wordpress	3.8.1	3.8.1
Wordpress	Ubuntu	lucid	*
Wordpress	Ubuntu	precise	*
Wordpress	Ubuntu	quantal	*
Wordpress	Ubuntu	saucy	*
Wordpress	Ubuntu	upstream	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2014-0166
CWE	https://cwe.mitre.org/data/definitions/287.html

Improper Authentication

Weakness

Affected Software

Potential Mitigations

References

CVE-2014-0166

Improper Authentication

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References