VDB
GCVE-110-MAGEIA-2013-285
GCVE-110-MAGEIA-2013-285
Advisory Published
wp-includes/functions.php in WordPress before 3.6.1 does not properly
determine whether data has been serialized, which allows remote
attackers to execute arbitrary code by triggering erroneous PHP
unserialize operations (CVE-2013-4338).
WordPress before 3.6.1 does not properly validate URLs before use in
an HTTP redirect, which allows remote attackers to bypass intended
redirection restrictions via a crafted string (CVE-2013-4339).
wp-admin/includes/post.php in WordPress before 3.6.1 allows remote
authenticated users to spoof the authorship of a post by leveraging
the Author role and providing a modified user_ID parameter
(CVE-2013-4340).
The get_allowed_mime_types function in wp-includes/functions.php in
WordPress before 3.6.1 does not require the unfiltered_html capability
for uploads of .htm and .html files, which might make it easier for
remote authenticated users to conduct cross-site scripting (XSS)
attacks via a crafted file (CVE-2013-5738).
The default configuration of WordPress before 3.6.1 does not prevent
uploads of .swf and .exe files, which might make it easier for remote
authenticated users to conduct cross-site scripting (XSS) attacks via
a crafted file, related to the get_allowed_mime_types function in
wp-includes/functions.php (CVE-2013-5739).
Additionally, php-phpmailer has been updated to a newer version required
by the updated wordpress.
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| Mageia | wordpress | 3.6.1-1.mga2 (unaffected), 0 (affected) | — |
| Mageia | php-phpmailer | 5.2.7-0.20130917.1.mga3 (unaffected), 0 (affected) | — |
| Mageia | wordpress | 0 (affected), 3.6.1-1.mga3 (unaffected) | — |
| Mageia | php-phpmailer | 0 (affected), 5.2.7-0.20130917.1.mga2 (unaffected) | — |
References
Browse GCVE Records
73,393 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.