CVE-2013-4338 — Code Injection in Wordpress

CWE-94 — Code Injection5 documents5 sources

Severity

7.5HIGHNVD

EPSS

9.6%

top 7.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wordpress Debian Wordpress

Timeline

PublishedSep 12

Latest updateMay 17

Description

wp-includes/functions.php in WordPress before 3.6.1 does not properly determine whether data has been serialized, which allows remote attackers to execute arbitrary code by triggering erroneous PHP unserialize operations.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

▶debiandebian/wordpress< wordpress 3.6.1+dfsg-1 (bookworm)

▶Debianwordpress/wordpress< 3.6.1+dfsg-1+3

▶NVDwordpress/wordpress3.6

Patches

Patch: core.trac.wordpress.org ↗Patch: wordpress.org ↗Patch: core.trac.wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-j273-w3x2-xgpg: wp-includes/functions↗2022-05-17

▶

OSV

CVE-2013-4338: wp-includes/functions↗2013-09-12

▶

📋Vendor Advisories

Debian

CVE-2013-4338: wordpress - wp-includes/functions.php in WordPress before 3.6.1 does not properly determine ...↗2013

▶

💬Community

Bugzilla

CVE-2013-4338 CVE-2013-4339 CVE-2013-4340 CVE-2013-5738 CVE-2013-5739 wordpress: new security issues fixed in 3.6.1↗2013-09-12

▶