Description
The default configuration of WordPress before 3.6.1 does not prevent uploads of .swf and .exe files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file, related to the get_allowed_mime_types function in wp-includes/functions.php.
Remediation
References
Related Vulnerabilities
WordPress 4.9.x Multiple Vulnerabilities (4.9 - 4.9.10)
WordPress Plugin 1-click Retweet/Share/Like Cross-Site Scripting (5.2)
Magento Server-Side Request Forgery (SSRF) Vulnerability (CVE-2019-8156)
Handlebars CVE-2021-23369 Vulnerability (CVE-2021-23369)
Ruby Improper Input Validation Vulnerability (CVE-2009-5147)