CVE-2013-5739

Wordpress < 3.6 - XSS

Title source: rule

Description

The default configuration of WordPress before 3.6.1 does not prevent uploads of .swf and .exe files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file, related to the get_allowed_mime_types function in wp-includes/functions.php.

References (4)

[Vendor Advisory] http://codex.wordpress.org/Version_3.6.1

[Exploit, Patch] http://core.trac.wordpress.org/changeset/25322

[Patch, Vendor Advisory] http://wordpress.org/news/2013/09/wordpress-3-6-1/

[Third Party Advisory] http://www.debian.org/security/2013/dsa-2757

Scores

EPSS 0.0025

EPSS Percentile 48.1%

Details

CWE

CWE-79

Status published

Products (2)

wordpress/wordpress < 3.6

n/a/n/a

Published Sep 12, 2013

Tracked Since Feb 18, 2026