CVE-2013-2205

WordPress < 3.5.2 - Cross-Site Scripting via SWFUpload allowDomain Bypass

Title source: llm
STIX 2.1

Description

The default configuration of SWFUpload in WordPress before 3.5.2 has an unrestrictive security.allowDomain setting, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via a crafted web site.

References (6)

Core 6
Core References
Vendor Advisory x_refsource_confirm
http://wordpress.org/news/2013/06/wordpress-3-5-2/
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2013/dsa-2718
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=976784
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/60759
Product x_refsource_confirm
http://codex.wordpress.org/Version_3.5.2

Scores

EPSS 0.0059
EPSS Percentile 69.4%

Details

CWE
CWE-16 CWE-79
Status published
Products (49)
wordpress/wordpress 0.71
wordpress/wordpress 1.0
wordpress/wordpress 1.0.1
wordpress/wordpress 1.0.2
wordpress/wordpress 1.1.1
wordpress/wordpress 1.2
wordpress/wordpress 1.2.1
wordpress/wordpress 1.2.2
wordpress/wordpress 1.2.3
wordpress/wordpress 1.2.4
... and 39 more
Published Jul 08, 2013
Tracked Since Feb 18, 2026