Entreprise d'experts en Sécurité Informatique : Audits et conseils en cybersécurité
Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com


CVE-2013-2205

Description

The default configuration of SWFUpload in WordPress before 3.5.2 has an unrestrictive security.allowDomain setting, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via a crafted web site.

POC

Reference

- http://make.wordpress.org/core/2013/06/21/secure-swfupload/

Github

- https://github.com/20142995/nuclei-templates

- https://github.com/WordPress/secure-swfupload

- https://github.com/coupa/secure-swfupload

- https://github.com/danifbento/SWFUpload