CVE-2014-5266

Description

The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote attackers to cause a denial of service (CPU consumption) via a large document, a different vulnerability than CVE-2014-5265.

How to fix CVE-2014-5266

To remediate CVE-2014-5266, upgrade the affected package to a fixed version below.

• Debian/wordpress—upgrade to 3.9.2+dfsg-1 or later

Is CVE-2014-5266 being exploited?

Likely — EPSS is 76.3%, placing CVE-2014-5266 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

• from 0, < 3.9.2+dfsg-1

References (1)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2014-5266