Timing Side-Channel Attack in WordPress Widget Sanitization

Timing Side-Channel Attack in WordPress Widget Sanitization

CVE-2015-5730 · MEDIUM Severity

AV:N/AC:L/AU:N/C:P/I:N/A:N

The sanitize_widget_instance function in wp-includes/class-wp-customize-widgets.php in WordPress before 4.2.4 does not use a constant-time comparison for widgets, which allows remote attackers to conduct a timing side-channel attack by measuring the delay before inequality is calculated.

Learn more about our Wordpress Pen Testing.