VDB
CVE-2015-5730
CVE-2015-5730
PUBLISHED
CVSS 5 MEDIUM
The sanitize_widget_instance function in wp-includes/class-wp-customize-widgets.php in WordPress before 4.2.4 does not use a constant-time comparison for widgets, which allows remote attackers to conduct a timing side-channel attack by measuring the delay before inequality is calculated.
EPSS 9.54% · 93.0th percentile
Risk Scores
CVSS 2.0
5
EPSS Score
9.54%
93.0th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| wordpress | wordpress | 0 |
| n/a | n/a | n/a |
Timeline
- Nov 9, 2015 CVE Published
- Feb 4, 2022 EPSS Score
- Mar 7, 2023 EPSS Score
- Mar 17, 2025 EPSS Score
- Mar 24, 2025 EPSS Score
- Mar 29, 2025 EPSS Score
- Mar 30, 2025 EPSS Score
- Apr 12, 2025 CVE Updated
- May 1, 2025 EPSS Score
- May 4, 2025 EPSS Score
- Jun 1, 2025 EPSS Score
- Jul 1, 2025 EPSS Score
References
- https://wordpress.org/news/2015/08/wordpress-4-2-4-security-and-maintenance-release/ url
- https://core.trac.wordpress.org/changeset/33535 url
- 76160 vdb
- [oss-security] 20150804 Re: CVE request: WordPress 4.2.3 and earlier multiple vulnerabilities mailing-list
- 1033178 vdb
- DSA-3332 vendor-advisory
- https://wpvulndb.com/vulnerabilities/8130 url
- https://core.trac.wordpress.org/changeset/33536 url
- https://codex.wordpress.org/Version_4.2.4 url
- https://nvd.nist.gov/vuln/detail/CVE-2015-5730 advisory
- https://wordpress.org/news/2015/08/wordpress-4-2-4-security-and-maintenance-release url