CVE-2014-9414

Summary

CVE	CVE-2014-9414
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2014-12-24 18:59:00 UTC
Updated	2023-05-26 17:46:00 UTC
Description	The W3 Total Cache plugin before 0.9.4.1 for WordPress does not properly handle empty nonces, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and hijack the authentication of administrators for requests that change the mobile site redirect URI via the mobile_groups[*][redirect] parameter and an empty _wpnonce parameter in the w3tc_mobile page to wp-admin/admin.php.

Risk And Classification

Problem Types: CWE-352

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Boldgrid	W3 Total Cache	All	All	All	All
Application	W3edge	Total Cache	All	All	All	All

References

Reference	Source	Link	Tags
Security update · wp-plugins/w3-total-cache@9a1cc9f · GitHub	CONFIRM	github.com
Mazin's Ahmed Blog: W3 Total Cache's W3TotalFail Vulnerability That Leads to Full Deface	MISC	mazinahmed1.blogspot.com	Exploit
IBM X-Force Exchange	XF	exchange.xforce.ibmcloud.com
SecurityFocus	BUGTRAQ	www.securityfocus.com
Full Disclosure: W3TotalFail: W3 Total Cache v 0.9.4 CSRF Vulnerability that Leads to Full Deface	FULLDISC	seclists.org	Exploit
W3 Total Cache 0.9.4 Cross Site Request Forgery ≈ Packet Storm	MISC	packetstormsecurity.com	Exploit
Security Advisory SA61562 - WordPress W3 Total Cache Plugin Cross-Site Request Forgery Vulnerability - Secunia	SECUNIA	secunia.com
WordPress › W3 Total Cache « WordPress Plugins	CONFIRM	wordpress.org	Vendor Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.