[CVE-2014-9039] Wordpress: Password Reset Logic Flaw


wp-login.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3 and 4.x before 4.0.1 might allow remote attackers to reset passwords by leveraging access to an email account that received a password-reset message.

CVSS 2.0 Base score

Medium (4.3)


Tanoy Bose (Simultaneously and independently submitted by submitted by Momen Bassel and Bojan Slavkovic)


Limited Disclosure

Vulnerability Tracker

You can know about me at my portfolio.
I follow my own Vulnerability Disclosure Policy.
Most of my work is listed here.