CVE-2013-5738
EPSS 0.71%Published: 9/12/2013Modified: 5/27/2026
Description
The get_allowed_mime_types function in wp-includes/functions.php in WordPress before 3.6.1 does not require the unfiltered_html capability for uploads of .htm and .html files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file.
Affected packages (1)
- Debian/wordpressfrom 0, < 3.6.1+dfsg-1