{"id":"MGASA-2013-0285","summary":"Updated wordpress and php-phpmailer packages fix security vulnerabilities","details":"wp-includes/functions.php in WordPress before 3.6.1 does not properly\ndetermine whether data has been serialized, which allows remote\nattackers to execute arbitrary code by triggering erroneous PHP\nunserialize operations (CVE-2013-4338).\n\nWordPress before 3.6.1 does not properly validate URLs before use in\nan HTTP redirect, which allows remote attackers to bypass intended\nredirection restrictions via a crafted string (CVE-2013-4339).\n\nwp-admin/includes/post.php in WordPress before 3.6.1 allows remote\nauthenticated users to spoof the authorship of a post by leveraging\nthe Author role and providing a modified user_ID parameter\n(CVE-2013-4340).\n\nThe get_allowed_mime_types function in wp-includes/functions.php in\nWordPress before 3.6.1 does not require the unfiltered_html capability\nfor uploads of .htm and .html files, which might make it easier for\nremote authenticated users to conduct cross-site scripting (XSS)\nattacks via a crafted file (CVE-2013-5738).\n\nThe default configuration of WordPress before 3.6.1 does not prevent\nuploads of .swf and .exe files, which might make it easier for remote\nauthenticated users to conduct cross-site scripting (XSS) attacks via\na crafted file, related to the get_allowed_mime_types function in\nwp-includes/functions.php (CVE-2013-5739).\n\nAdditionally, php-phpmailer has been updated to a newer version required\nby the updated wordpress.\n","modified":"2026-04-16T06:22:57.797946468Z","published":"2013-09-19T09:45:04Z","upstream":["CVE-2013-4338","CVE-2013-4339","CVE-2013-4340","CVE-2013-5738","CVE-2013-5739"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2013-0285.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=11218"},{"type":"WEB","url":"http://wordpress.org/news/2013/09/wordpress-3-6-1/"},{"type":"WEB","url":"http://www.debian.org/security/2013/dsa-2757"}],"affected":[{"package":{"name":"wordpress","ecosystem":"Mageia:2","purl":"pkg:rpm/mageia/wordpress?arch=source&distro=mageia-2"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.6.1-1.mga2"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2013-0285.json"}},{"package":{"name":"php-phpmailer","ecosystem":"Mageia:2","purl":"pkg:rpm/mageia/php-phpmailer?arch=source&distro=mageia-2"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.2.7-0.20130917.1.mga2"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2013-0285.json"}},{"package":{"name":"wordpress","ecosystem":"Mageia:3","purl":"pkg:rpm/mageia/wordpress?arch=source&distro=mageia-3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.6.1-1.mga3"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2013-0285.json"}},{"package":{"name":"php-phpmailer","ecosystem":"Mageia:3","purl":"pkg:rpm/mageia/php-phpmailer?arch=source&distro=mageia-3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.2.7-0.20130917.1.mga3"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2013-0285.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}