Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Forum/Board/Portal)  >   WordPress Vendors:
WordPress Weak Pseudorandom Number Generator Lets Remote Users Predict Password Reset Tokens
SecurityTracker Alert ID:  1031749
SecurityTracker URL:
CVE Reference:   CVE-2014-6412   (Links to External Site)
Date:  Feb 13 2015
Impact:   Disclosure of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in WordPress. A remote user may be able to predict the password reset token.

The pseudorandom number generator is not sufficiently random. Windows-based systems are affected.

A remote user can exploit this to predict the password reset token.

The vendor was notified on June 25, 2014.

Scott Arciszewski reported this vulnerability.

Impact:   A remote user may be able to predict the password reset token and gain access to the target site.
Solution:   A proposed patch is available at:

Vendor URL: (Links to External Site)
Cause:   Randomization error
Underlying OS:  Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  [FD] CVE-2014-6412 - WordPress (all versions) lacks CSPRNG

Ticket opened: 2014-06-25
Affected Versions: ALL
Problem: No CSPRNG
Patch available, collecting dust because of negligent (and questionably
competent) WP maintainers

On June 25, 2014 I opened a ticked on WordPress's issue tracker to expose a
cryptographically secure pseudorandom number generator, since none was
present (although it looks like others have tried to hack together a
band-aid solution to mitigate php_mt_seed until WordPress gets their "let's
support PHP < 5.3" heads out of their asses).

For the past 8 months, I have tried repeatedly to raise awareness of this
bug, even going as far as to attend WordCamp Orlando to troll^H advocate
for its examination in person. And they blew me off every time.

If anyone with RNG breaking experience (cough solar designer cough) can PoC
it, without the patch I've provided you should be able to trivially predict
the password reset token for admin users and take over any WordPress site

Eight fucking months.

Patch available with unit tests and PHP 5.2 on Windows support at


Sent through the Full Disclosure mailing list
Web Archives & RSS:

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC