CVE-2013-5739

The default configuration of WordPress before 3.6.1 does not prevent uploads of .swf and .exe files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file, related to the get_allowed_mime_types function in wp-includes/functions.php.

Published: Sep 12, 2013
Updated: Apr 13, 2023
CVE: CVE-2013-5739
Severity: Low
Exploit:

CVSS v2:

Severity: Low
Score: 3.5
AV:N/AC:M/Au:S/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
WordPress / wordpress	-	3.6.x

http://codex.wordpress.org/Version_3.6.1
http://core.trac.wordpress.org/changeset/25322
http://wordpress.org/news/2013/09/wordpress-3-6-1/
http://www.debian.org/security/2013/dsa-2757

Vulnerability Database

289,697

CVE-2013-5739