The default configuration of WordPress before 3.6.1 does not prevent uploads of .swf and .exe files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file, related to the get_allowed_mime_types function in wp-includes/functions.php.
References
Link | Resource |
---|---|
http://wordpress.org/news/2013/09/wordpress-3-6-1/ | Patch Vendor Advisory |
http://codex.wordpress.org/Version_3.6.1 | Vendor Advisory |
http://core.trac.wordpress.org/changeset/25322 | Exploit Patch |
http://www.debian.org/security/2013/dsa-2757 |
Configurations
Information
Published : 2013-09-12 06:30
Updated : 2013-09-26 20:47
NVD link : CVE-2013-5739
Mitre link : CVE-2013-5739
JSON object : View
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Products Affected
wordpress
- wordpress