CVE-2013-4338
WordPress < 3.6.1 - Remote Code Execution via PHP Unserialize
Title source: llmDescription
wp-includes/functions.php in WordPress before 3.6.1 does not properly determine whether data has been serialized, which allows remote attackers to execute arbitrary code by triggering erroneous PHP unserialize operations.
References (7)
Core 7
Core References
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2013-September/116832.html
Exploit, Patch x_refsource_confirm
http://core.trac.wordpress.org/changeset/25325
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2013-September/116828.html
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2013/dsa-2757
Vendor Advisory x_refsource_confirm
http://codex.wordpress.org/Version_3.6.1
Patch, Vendor Advisory x_refsource_confirm
http://wordpress.org/news/2013/09/wordpress-3-6-1/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2013-September/117118.html
Scores
EPSS
0.0959
EPSS Percentile
93.0%
Details
CWE
CWE-94
Status
published
Products (1)
wordpress/wordpress
< 3.6
Published
Sep 12, 2013
Tracked Since
Feb 18, 2026