Unrated severityNVD Advisory· Published Sep 12, 2013· Updated Jun 16, 2026
CVE-2013-5739
CVE-2013-5739
Description
The default configuration of WordPress before 3.6.1 does not prevent uploads of .swf and .exe files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file, related to the get_allowed_mime_types function in wp-includes/functions.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*range: <=3.6
- (no CPE)range: <3.6.1
Patches
Vulnerability mechanics
References
4- wordpress.org/news/2013/09/wordpress-3-6-1/nvdPatchVendor Advisory
- core.trac.wordpress.org/changeset/25322nvdExploitPatch
- codex.wordpress.org/Version_3.6.1nvdVendor Advisory
- www.debian.org/security/2013/dsa-2757nvd
News mentions
0No linked articles in our index yet.