Description

The default configuration of SWFUpload in WordPress before 3.5.2 has an unrestrictive security.allowDomain setting, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via a crafted web site.

Remediation

References

CVE-2013-2205

Related Vulnerabilities

WordPress 4.1.x Cross-Domain Flash Injection Vulnerability (4.1 - 4.1.21)

WordPress Plugin Connections Business Directory CSV Injection (9.6)

PHP Other Vulnerability (CVE-2007-1522)

Python Data Processing Errors Vulnerability (CVE-2013-7440)

WordPress Plugin Post Grid, List for WordPress-Content Views Cross-Site Scripting (1.6.1)

Severity

Medium

Classification

CVE-2013-2205

Tags

Missing Update Known Vulnerabilities