Description
The default configuration of WordPress before 3.6.1 does not prevent uploads of .swf and .exe files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file, related to the get_allowed_mime_types function in wp-includes/functions.php.
Remediation
References
Related Vulnerabilities
Drupal Core 7.x Multiple Vulnerabilities (7.0 - 7.33)
WordPress Plugin YOP Poll Multiple Cross-Site Scripting Vulnerabilities (4.9.1)
PHP 5.3.9 remote code execution
WordPress Plugin zM Ajax Login & Register Multiple Vulnerabilities (1.0.9)
WordPress 2.0.5 Charset Decoding SQL Injection Vulnerability (0.6.2 - 2.0.5)