Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2008-1930


Vulnerability Score 7.5 7.5
CVE Id CVE-2008-1930
Last Modified 07 Mar 2011 10:08:16
Published 28 Apr 2008 04:05:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE



The cookie authentication method in WordPress 2.5 relies on a hash of a concatenated string containing USERNAME and EXPIRY_TIME, which allows remote attackers to forge cookies by registering a username that results in the same concatenated string, as demonstrated by registering usernames beginning with "admin" to obtain administrator privileges, aka a "cryptographic splicing" issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2007-6013.

Vulnerable Systems


  • Wordpress 2.5


BID - 28935


VUPEN - ADV-2008-1372

SECTRACK - 1019923

BUGTRAQ - 20080425 Wordpress 2.5 Cookie Integrity Protection Vulnerability


XF - wordpress-cookie-security-bypass(42027)

SECUNIA - 29965

Last Updated: 27 May 2016 10:47:42