CVE-2013-5739
WordPress < 3.6.1 - Authenticated Cross-Site Scripting via SWF/EXE File Upload
Title source: llmDescription
The default configuration of WordPress before 3.6.1 does not prevent uploads of .swf and .exe files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file, related to the get_allowed_mime_types function in wp-includes/functions.php.
References (4)
Core 4
Core References
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2013/dsa-2757
Exploit, Patch x_refsource_confirm
http://core.trac.wordpress.org/changeset/25322
Vendor Advisory x_refsource_confirm
http://codex.wordpress.org/Version_3.6.1
Patch, Vendor Advisory x_refsource_confirm
http://wordpress.org/news/2013/09/wordpress-3-6-1/
Scores
EPSS
0.0025
EPSS Percentile
48.3%
Details
CWE
CWE-79
Status
published
Products (1)
wordpress/wordpress
< 3.6
Published
Sep 12, 2013
Tracked Since
Feb 18, 2026