CVE-2013-2202
WordPress Core < 3.5.2 - XXE Injection
Severity Score
5.4
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
WordPress before 3.5.2 allows remote attackers to read arbitrary files via an oEmbed XML provider response containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
WordPress anterior a v3.5.2 permite a atacantes remotos leer ficheros de su elección mediante respuesta del proveedor oEmbed XML que contenga una declaración de entidad externa en conjunción con una referencia de entidad, en relación con un fallo en una XML External Entity (XXE).
A denial of service flaw was found in the way Wordpress, a blog tool and publishing platform, performed hash computation when checking password for password protected blog posts. A remote attacker could provide a specially-crafted input that, when processed by the password checking mechanism of Wordpress would lead to excessive CPU consumption. Inadequate SSRF protection for HTTP requests where the user can provide a URL can allow for attacks against the intranet and other sites. This is a continuation of work related to which was specific to SSRF in pingback requests and was fixed in 3.5.1. Inadequate checking of a user's capabilities could allow them to publish posts when their user role should not allow for it; and to assign posts to other authors. Inadequate escaping allowed an administrator to trigger a cross-site scripting vulnerability through the uploading of media files and plugins. The processing of an oEmbed response is vulnerable to an XXE. If the uploads directory is not writable, error message data returned via XHR will include a full path to the directory. Content Spoofing in the MoxieCode MoxiePlayer project. Cross-domain XSS in SWFUpload.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2013-02-19 CVE Reserved
- 2013-06-21 CVE Published
- 2024-08-06 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-611: Improper Restriction of XML External Entity Reference
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| http://codex.wordpress.org/Version_3.5.2 | X_refsource_confirm | |
| https://bugzilla.redhat.com/show_bug.cgi?id=976784 | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://wordpress.org/news/2013/06/wordpress-3-5-2 | 2013-10-07 | |
| http://www.debian.org/security/2013/dsa-2718 | 2013-10-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | <= 3.5.1 Search vendor "Wordpress" for product "Wordpress" and version " <= 3.5.1" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 0.71 Search vendor "Wordpress" for product "Wordpress" and version "0.71" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 1.0 Search vendor "Wordpress" for product "Wordpress" and version "1.0" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 1.0.1 Search vendor "Wordpress" for product "Wordpress" and version "1.0.1" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 1.0.2 Search vendor "Wordpress" for product "Wordpress" and version "1.0.2" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 1.1.1 Search vendor "Wordpress" for product "Wordpress" and version "1.1.1" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 1.2 Search vendor "Wordpress" for product "Wordpress" and version "1.2" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 1.2.1 Search vendor "Wordpress" for product "Wordpress" and version "1.2.1" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 1.2.2 Search vendor "Wordpress" for product "Wordpress" and version "1.2.2" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 1.2.3 Search vendor "Wordpress" for product "Wordpress" and version "1.2.3" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 1.2.4 Search vendor "Wordpress" for product "Wordpress" and version "1.2.4" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 1.2.5 Search vendor "Wordpress" for product "Wordpress" and version "1.2.5" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 1.2.5 Search vendor "Wordpress" for product "Wordpress" and version "1.2.5" | a |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 1.3 Search vendor "Wordpress" for product "Wordpress" and version "1.3" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 1.3.2 Search vendor "Wordpress" for product "Wordpress" and version "1.3.2" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 1.3.3 Search vendor "Wordpress" for product "Wordpress" and version "1.3.3" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 1.5 Search vendor "Wordpress" for product "Wordpress" and version "1.5" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 1.5.1 Search vendor "Wordpress" for product "Wordpress" and version "1.5.1" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 1.5.1.1 Search vendor "Wordpress" for product "Wordpress" and version "1.5.1.1" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 1.5.1.2 Search vendor "Wordpress" for product "Wordpress" and version "1.5.1.2" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 1.5.1.3 Search vendor "Wordpress" for product "Wordpress" and version "1.5.1.3" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 1.5.2 Search vendor "Wordpress" for product "Wordpress" and version "1.5.2" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 1.6.2 Search vendor "Wordpress" for product "Wordpress" and version "1.6.2" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.0 Search vendor "Wordpress" for product "Wordpress" and version "2.0" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.0.1 Search vendor "Wordpress" for product "Wordpress" and version "2.0.1" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.0.2 Search vendor "Wordpress" for product "Wordpress" and version "2.0.2" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.0.4 Search vendor "Wordpress" for product "Wordpress" and version "2.0.4" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.0.5 Search vendor "Wordpress" for product "Wordpress" and version "2.0.5" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.0.6 Search vendor "Wordpress" for product "Wordpress" and version "2.0.6" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.0.7 Search vendor "Wordpress" for product "Wordpress" and version "2.0.7" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.0.8 Search vendor "Wordpress" for product "Wordpress" and version "2.0.8" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.0.9 Search vendor "Wordpress" for product "Wordpress" and version "2.0.9" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.0.10 Search vendor "Wordpress" for product "Wordpress" and version "2.0.10" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.0.11 Search vendor "Wordpress" for product "Wordpress" and version "2.0.11" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.1 Search vendor "Wordpress" for product "Wordpress" and version "2.1" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.1.1 Search vendor "Wordpress" for product "Wordpress" and version "2.1.1" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.1.2 Search vendor "Wordpress" for product "Wordpress" and version "2.1.2" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.1.3 Search vendor "Wordpress" for product "Wordpress" and version "2.1.3" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.2 Search vendor "Wordpress" for product "Wordpress" and version "2.2" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.2.1 Search vendor "Wordpress" for product "Wordpress" and version "2.2.1" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.2.2 Search vendor "Wordpress" for product "Wordpress" and version "2.2.2" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.2.3 Search vendor "Wordpress" for product "Wordpress" and version "2.2.3" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.3 Search vendor "Wordpress" for product "Wordpress" and version "2.3" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.3.1 Search vendor "Wordpress" for product "Wordpress" and version "2.3.1" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.3.2 Search vendor "Wordpress" for product "Wordpress" and version "2.3.2" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.3.3 Search vendor "Wordpress" for product "Wordpress" and version "2.3.3" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.5 Search vendor "Wordpress" for product "Wordpress" and version "2.5" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.5.1 Search vendor "Wordpress" for product "Wordpress" and version "2.5.1" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.6 Search vendor "Wordpress" for product "Wordpress" and version "2.6" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.6.1 Search vendor "Wordpress" for product "Wordpress" and version "2.6.1" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.6.2 Search vendor "Wordpress" for product "Wordpress" and version "2.6.2" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.6.3 Search vendor "Wordpress" for product "Wordpress" and version "2.6.3" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.6.5 Search vendor "Wordpress" for product "Wordpress" and version "2.6.5" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.7 Search vendor "Wordpress" for product "Wordpress" and version "2.7" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.7.1 Search vendor "Wordpress" for product "Wordpress" and version "2.7.1" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.8 Search vendor "Wordpress" for product "Wordpress" and version "2.8" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.8.1 Search vendor "Wordpress" for product "Wordpress" and version "2.8.1" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.8.2 Search vendor "Wordpress" for product "Wordpress" and version "2.8.2" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.8.3 Search vendor "Wordpress" for product "Wordpress" and version "2.8.3" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.8.4 Search vendor "Wordpress" for product "Wordpress" and version "2.8.4" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.8.4 Search vendor "Wordpress" for product "Wordpress" and version "2.8.4" | a |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.8.5 Search vendor "Wordpress" for product "Wordpress" and version "2.8.5" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.8.5.1 Search vendor "Wordpress" for product "Wordpress" and version "2.8.5.1" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.8.5.2 Search vendor "Wordpress" for product "Wordpress" and version "2.8.5.2" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.8.6 Search vendor "Wordpress" for product "Wordpress" and version "2.8.6" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.9 Search vendor "Wordpress" for product "Wordpress" and version "2.9" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.9.1 Search vendor "Wordpress" for product "Wordpress" and version "2.9.1" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.9.1.1 Search vendor "Wordpress" for product "Wordpress" and version "2.9.1.1" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 2.9.2 Search vendor "Wordpress" for product "Wordpress" and version "2.9.2" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 3.3 Search vendor "Wordpress" for product "Wordpress" and version "3.3" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 3.3.1 Search vendor "Wordpress" for product "Wordpress" and version "3.3.1" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 3.3.2 Search vendor "Wordpress" for product "Wordpress" and version "3.3.2" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 3.3.3 Search vendor "Wordpress" for product "Wordpress" and version "3.3.3" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 3.4.0 Search vendor "Wordpress" for product "Wordpress" and version "3.4.0" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 3.4.1 Search vendor "Wordpress" for product "Wordpress" and version "3.4.1" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 3.4.2 Search vendor "Wordpress" for product "Wordpress" and version "3.4.2" | - |
Affected
| ||||||
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | 3.5.0 Search vendor "Wordpress" for product "Wordpress" and version "3.5.0" | - |
Affected
| ||||||