{"api_version":"1","generated_at":"2026-05-30T00:41:40+00:00","cve":"CVE-2014-3845","urls":{"html":"https://cve.report/CVE-2014-3845","api":"https://cve.report/api/cve/CVE-2014-3845.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2014-3845","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2014-3845"},"summary":{"title":"CVE-2014-3845","description":"Cross-site request forgery (CSRF) vulnerability in the TinyMCE Color Picker plugin before 1.2 for WordPress allows remote attackers to hijack the authentication of unspecified users for requests that change plugin settings via unknown vectors.  NOTE: some of these details are obtained from third party information.","state":"PUBLISHED","assigner":"mitre","published_at":"2014-05-22 15:13:05","updated_at":"2026-05-06 22:30:45"},"problem_types":["CWE-352","n/a"],"metrics":[{"version":"2.0","source":"nvd@nist.gov","type":"Primary","score":"6.8","severity":"","vector":"AV:N/AC:M/Au:N/C:P/I:P/A:P","data":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:P","baseScore":6.8,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"}}],"references":[{"url":"http://wordpress.org/plugins/tinymce-colorpicker/changelog","name":"http://wordpress.org/plugins/tinymce-colorpicker/changelog","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"WordPress › TinyMCE Color Picker « WordPress Plugins","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://secunia.com/advisories/58095","name":"http://secunia.com/advisories/58095","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"Security Advisory SA58095 - WordPress TinyMCE Color Picker Plugin Cross-Site Request Forgery and Security Bypass Vulnerabilities - Secunia","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2014-3845","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-3845","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"n/a","product":"n/a","version":"affected n/a","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2014","cve_id":"3845","vulnerable":"1","versionEndIncluding":"1.1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"tinymce","cpe5":"color_picker","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2014","cve_id":"3845","vulnerable":"0","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"wordpress","cpe5":"wordpress","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-06T10:57:17.754Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_refsource_MISC","x_transferred"],"url":"http://wordpress.org/plugins/tinymce-colorpicker/changelog"},{"name":"58095","tags":["third-party-advisory","x_refsource_SECUNIA","x_transferred"],"url":"http://secunia.com/advisories/58095"}],"title":"CVE Program Container"}],"cna":{"affected":[{"product":"n/a","vendor":"n/a","versions":[{"status":"affected","version":"n/a"}]}],"descriptions":[{"lang":"en","value":"Cross-site request forgery (CSRF) vulnerability in the TinyMCE Color Picker plugin before 1.2 for WordPress allows remote attackers to hijack the authentication of unspecified users for requests that change plugin settings via unknown vectors.  NOTE: some of these details are obtained from third party information."}],"problemTypes":[{"descriptions":[{"description":"n/a","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2014-05-22T15:00:00.000Z","orgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","shortName":"mitre"},"references":[{"tags":["x_refsource_MISC"],"url":"http://wordpress.org/plugins/tinymce-colorpicker/changelog"},{"name":"58095","tags":["third-party-advisory","x_refsource_SECUNIA"],"url":"http://secunia.com/advisories/58095"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2014-3845","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Cross-site request forgery (CSRF) vulnerability in the TinyMCE Color Picker plugin before 1.2 for WordPress allows remote attackers to hijack the authentication of unspecified users for requests that change plugin settings via unknown vectors.  NOTE: some of these details are obtained from third party information."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"http://wordpress.org/plugins/tinymce-colorpicker/changelog","refsource":"MISC","url":"http://wordpress.org/plugins/tinymce-colorpicker/changelog"},{"name":"58095","refsource":"SECUNIA","url":"http://secunia.com/advisories/58095"}]}}}},"cveMetadata":{"assignerOrgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","assignerShortName":"mitre","cveId":"CVE-2014-3845","datePublished":"2014-05-22T15:00:00.000Z","dateReserved":"2014-05-22T00:00:00.000Z","dateUpdated":"2024-09-17T02:46:33.007Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"},"nvd":{"publishedDate":"2014-05-22 15:13:05","lastModifiedDate":"2026-05-06 22:30:45","problem_types":["CWE-352","n/a"],"metrics":{"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:P","baseScore":6.8,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"MEDIUM","exploitabilityScore":8.6,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}]},"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:tinymce:color_picker:*:*:*:*:*:*:*:*","versionEndIncluding":"1.1","matchCriteriaId":"835ABB8C-EE81-4C59-A669-A7C0B2590412"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:a:wordpress:wordpress:-:*:*:*:*:*:*:*","matchCriteriaId":"A77EB0E7-7FA7-4232-97DF-7C7587D163F1"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2014","CveId":"3845","Ordinal":"1","Title":"CVE-2014-3845","CVE":"CVE-2014-3845","Year":"2014"},"notes":[{"CveYear":"2014","CveId":"3845","Ordinal":"1","NoteData":"Cross-site request forgery (CSRF) vulnerability in the TinyMCE Color Picker plugin before 1.2 for WordPress allows remote attackers to hijack the authentication of unspecified users for requests that change plugin settings via unknown vectors.  NOTE: some of these details are obtained from third party information.","Type":"Description","Title":"CVE-2014-3845"},{"CveYear":"2014","CveId":"3845","Ordinal":"2","NoteData":"2014-05-22","Type":"Other","Title":"Published"}]}}}