WordPress <= 4.0 – Server Side Request Forgery (SSRF) | CVE 2014-9038

Affects WordPress

3.8.1

Fixed in WordPress 4.0.1

3.8

Fixed in WordPress 4.0.1

3.7.1

Fixed in WordPress 4.0.1

3.6

Fixed in WordPress 4.0.1

3.5.2

Fixed in WordPress 4.0.1

3.5.1

Fixed in WordPress 4.0.1

3.5

Fixed in WordPress 4.0.1

3.4.2

Fixed in WordPress 4.0.1

3.4.1

Fixed in WordPress 4.0.1

3.4

Fixed in WordPress 4.0.1

3.3.3

Fixed in WordPress 4.0.1

3.3.2

Fixed in WordPress 4.0.1

3.3.1

Fixed in WordPress 4.0.1

3.3

Fixed in WordPress 4.0.1

3.2.1

Fixed in WordPress 4.0.1

3.2

Fixed in WordPress 4.0.1

3.1.4

Fixed in WordPress 4.0.1

3.1.3

Fixed in WordPress 4.0.1

3.1.2

Fixed in WordPress 4.0.1

3.1.1

Fixed in WordPress 4.0.1

3.1

Fixed in WordPress 4.0.1

3.0.6

Fixed in WordPress 4.0.1

3.0.5

Fixed in WordPress 4.0.1

3.0.4

Fixed in WordPress 4.0.1

3.0.3

Fixed in WordPress 4.0.1

3.0.2

Fixed in WordPress 4.0.1

3.0.1

Fixed in WordPress 4.0.1

3.0

Fixed in WordPress 4.0.1

2.9.2

Fixed in WordPress 4.0.1

2.9.1

Fixed in WordPress 4.0.1

2.9

Fixed in WordPress 4.0.1

2.8.6

Fixed in WordPress 4.0.1

2.8.5

Fixed in WordPress 4.0.1

2.8.4

Fixed in WordPress 4.0.1

2.8.3

Fixed in WordPress 4.0.1

2.8.2

Fixed in WordPress 4.0.1

2.8.1

Fixed in WordPress 4.0.1

2.8

Fixed in WordPress 4.0.1

2.7.1

Fixed in WordPress 4.0.1

2.7

Fixed in WordPress 4.0.1

2.6.5

Fixed in WordPress 4.0.1

2.6.3

Fixed in WordPress 4.0.1

2.6.2

Fixed in WordPress 4.0.1

2.6.1

Fixed in WordPress 4.0.1

2.6

Fixed in WordPress 4.0.1

2.5.1

Fixed in WordPress 4.0.1

2.5

Fixed in WordPress 4.0.1

2.3.3

Fixed in WordPress 4.0.1

2.3.2

Fixed in WordPress 4.0.1

2.3.1

Fixed in WordPress 4.0.1

2.3

Fixed in WordPress 4.0.1

2.2.3

Fixed in WordPress 4.0.1

2.2.2

Fixed in WordPress 4.0.1

2.2.1

Fixed in WordPress 4.0.1

2.2

Fixed in WordPress 4.0.1

2.1.3

Fixed in WordPress 4.0.1

2.1.2

Fixed in WordPress 4.0.1

2.1.1

Fixed in WordPress 4.0.1

2.1

Fixed in WordPress 4.0.1

2.0.11

Fixed in WordPress 4.0.1

2.0.10

Fixed in WordPress 4.0.1

2.0.9

Fixed in WordPress 4.0.1

2.0.8

Fixed in WordPress 4.0.1

2.0.7

Fixed in WordPress 4.0.1

2.0.6

Fixed in WordPress 4.0.1

2.0.5

Fixed in WordPress 4.0.1

2.0.4

Fixed in WordPress 4.0.1

2.0.3

Fixed in WordPress 4.0.1

2.0.2

Fixed in WordPress 4.0.1

2.0.1

Fixed in WordPress 4.0.1

2.0

Fixed in WordPress 4.0.1

1.5.2

Fixed in WordPress 4.0.1

1.5.1.3

Fixed in WordPress 4.0.1

1.5.1.2

Fixed in WordPress 4.0.1

1.5.1.1

Fixed in WordPress 4.0.1

1.5.1

Fixed in WordPress 4.0.1

1.5

Fixed in WordPress 4.0.1

3.6.1

Fixed in WordPress 4.0.1

3.9

Fixed in WordPress 4.0.1

3.9.1

Fixed in WordPress 4.0.1

3.7

Fixed in WordPress 4.0.1

3.8.2

Fixed in WordPress 4.0.1

3.8.3

Fixed in WordPress 4.0.1

3.9.2

Fixed in WordPress 4.0.1

4.0

Fixed in WordPress 4.0.1

1.2

Fixed in WordPress 4.0.1

1.2.1

Fixed in WordPress 4.0.1

References

CVE

CVE-2014-9038

URL

https://core.trac.wordpress.org/changeset/30444

Classification

Type

SSRF

OWASP top 10

A1: Injection

CWE

CWE-918

Miscellaneous

Submitter

ethicalhack3r

Submitter twitter

ethicalhack3r

Verified

No

WPVDB ID

894714e0-e582-4ae8-86d2-9826604bd823

Timeline

Publicly Published

2014-11-30 (about 11 years ago)

Added

2014-11-30 (about 11 years ago)

Last Updated

2019-10-21 (about 6 years ago)

Other

Published

Title

Published

2024-12-18

Title

Broken Link Checker | Finder < 2.5.1 - Authenticated (Author+) Blind Server-Side Request Forgery

Published

2024-07-02

Title

CoBlocks < 3.1.12 - Contributor+ SSRF

Published

2022-04-19

Title

Fusion Builder < 3.6.2 - Unauthenticated SSRF

Published

2024-04-05

Title

RapidLoad Power-Up for Autoptimize < 2.2.12 - Unauthenticated Server-Side Request Forgery

Published

2021-04-13

Title

WP-DownloadManager < 1.68.5 - Server-Side Request Forgery (SSRF)