Description

The default configuration of SWFUpload in WordPress before 3.5.2 has an unrestrictive security.allowDomain setting, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via a crafted web site.

Remediation

References

CVE-2013-2205

Related Vulnerabilities

TYPO3 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-11064)

phpMyFAQ Misinterpretation of Input Vulnerability (CVE-2023-0880)

WordPress Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-6514)

WordPress 3.9.x Multiple Vulnerabilities (3.9 - 3.9.18)

Caddy Web Server URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2022-28923)

Severity

Medium

Classification

CVE-2013-2205

Tags

Missing Update Known Vulnerabilities