CVE-2013-2205 — Cross-site Scripting in Wordpress

CWE-16 CWE-79 — Cross-site Scripting7 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.6%

top 30.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wordpress Debian Wordpress

Timeline

PublishedJul 8

Latest updateMay 17

Description

The default configuration of SWFUpload in WordPress before 3.5.2 has an unrestrictive security.allowDomain setting, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via a crafted web site.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/wordpress< wordpress 3.5.2+dfsg-1 (bookworm)

▶Debianwordpress/wordpress< 3.5.2+dfsg-1+3

▶NVDwordpress/wordpress3.5.1+74

🔴Vulnerability Details

GHSA

GHSA-4vph-7h2p-5498: The default configuration of SWFUpload in WordPress before 3↗2022-05-17

▶

OSV

CVE-2013-2205: The default configuration of SWFUpload in WordPress before 3↗2013-07-08

▶

📋Vendor Advisories

Debian

CVE-2013-2205: wordpress - The default configuration of SWFUpload in WordPress before 3.5.2 has an unrestri...↗2013

▶

💬Community

Bugzilla

CVE-2013-2199 CVE-2013-2200 CVE-2013-2201 CVE-2013-2202 CVE-2013-2203 CVE-2013-2204 CVE-2013-2205 wordpress: Multiple security flaws to be corrected within upstream 3.5.2 version [epel-all]↗2013-06-22

▶

Bugzilla

▶

Bugzilla

CVE-2013-2199 CVE-2013-2200 CVE-2013-2201 CVE-2013-2202 CVE-2013-2203 CVE-2013-2204 CVE-2013-2205 wordpress: Multiple security flaws to be corrected within upstream 3.5.2 version↗2013-06-21

▶