CVE-2013-5739 — Cross-site Scripting in Wordpress

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

3.5LOWNVD

EPSS

0.3%

top 51.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wordpress Debian Wordpress

Timeline

PublishedSep 12

Latest updateMay 17

Description

The default configuration of WordPress before 3.6.1 does not prevent uploads of .swf and .exe files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file, related to the get_allowed_mime_types function in wp-includes/functions.php.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 6.8 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/wordpress< wordpress 3.6.1+dfsg-1 (bookworm)

▶Debianwordpress/wordpress< 3.6.1+dfsg-1+3

▶NVDwordpress/wordpress3.6

Patches

Patch: core.trac.wordpress.org ↗Patch: wordpress.org ↗Patch: core.trac.wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-v4p8-jvp4-22m6: The default configuration of WordPress before 3↗2022-05-17

▶

OSV

CVE-2013-5739: The default configuration of WordPress before 3↗2013-09-12

▶

📋Vendor Advisories

Debian

CVE-2013-5739: wordpress - The default configuration of WordPress before 3.6.1 does not prevent uploads of ...↗2013

▶

💬Community

Bugzilla

CVE-2013-4338 CVE-2013-4339 CVE-2013-4340 CVE-2013-5738 CVE-2013-5739 wordpress: new security issues fixed in 3.6.1↗2013-09-12

▶