Unrated severityNVD Advisory· Published Nov 25, 2014· Updated May 6, 2026

CVE-2014-9037

Description

WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to obtain access to an account idle since 2008 by leveraging an improper PHP dynamic type comparison for an MD5 hash.

Affected products

WordPress/WordPress10 versions
cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*+ 9 more
- cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*range: <=3.7.4
- cpe:2.3:a:wordpress:wordpress:3.8:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress:wordpress:3.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress:wordpress:3.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress:wordpress:3.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress:wordpress:3.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress:wordpress:3.9:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress:wordpress:3.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress:wordpress:3.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress:wordpress:4.0:*:*:*:*:*:*:*
Package: https://wordpress.org/plugins/wordpress
Debian/Debian Linux2 versions
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Mageia Project/Mageia2 versions
cpe:2.3:o:mageia_project:mageia:3:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:mageia_project:mageia:3:*:*:*:*:*:*:*
- cpe:2.3:o:mageia_project:mageia:4:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

wordpress.org/news/2014/11/wordpress-4-0-1/nvdPatchVendor Advisory
advisories.mageia.org/MGASA-2014-0493.htmlnvd
openwall.com/lists/oss-security/2014/11/25/12nvd
www.debian.org/security/2014/dsa-3085nvd
www.mandriva.com/security/advisoriesnvd
www.securitytracker.com/id/1031243nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.002
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000