CVE-2012-6707

2017-10-1919:29:00

Debian Security Bug Tracker

security-tracker.debian.org

wordpress

password hashing

md5

security vulnerability

php 5.2

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.002

Percentile

58.8%

JSON

WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress with obsolete PHP versions.

OSVersionArchitecturePackageVersionFilename
Debian12allwordpress<= 6.1.6+dfsg1-0+deb12u1wordpress_6.1.6+dfsg1-0+deb12u1_all.deb
Debian11allwordpress<= 5.7.11+dfsg1-0+deb11u1wordpress_5.7.11+dfsg1-0+deb11u1_all.deb
Debian999allwordpress<= 6.6.1+dfsg1-1wordpress_6.6.1+dfsg1-1_all.deb
Debian13allwordpress<= 6.6.1+dfsg1-1wordpress_6.6.1+dfsg1-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	wordpress	<= 6.1.6+dfsg1-0+deb12u1	wordpress_6.1.6+dfsg1-0+deb12u1_all.deb
Debian	11	all	wordpress	<= 5.7.11+dfsg1-0+deb11u1	wordpress_5.7.11+dfsg1-0+deb11u1_all.deb
Debian	999	all	wordpress	<= 6.6.1+dfsg1-1	wordpress_6.6.1+dfsg1-1_all.deb
Debian	13	all	wordpress	<= 6.6.1+dfsg1-1	wordpress_6.6.1+dfsg1-1_all.deb