Vulnerability Description
wp-includes/functions.php in WordPress before 3.6.1 does not properly determine whether data has been serialized, which allows remote attackers to execute arbitrary code by triggering erroneous PHP unserialize operations.
CVSS Score
7.5
HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wordpress | Wordpress | <= 3.6 |
Related Weaknesses (CWE)
References
- http://codex.wordpress.org/Version_3.6.1Vendor Advisory
- http://core.trac.wordpress.org/changeset/25325ExploitPatch
- http://lists.fedoraproject.org/pipermail/package-announce/2013-September/116828.
- http://lists.fedoraproject.org/pipermail/package-announce/2013-September/116832.
- http://lists.fedoraproject.org/pipermail/package-announce/2013-September/117118.
- http://wordpress.org/news/2013/09/wordpress-3-6-1/PatchVendor Advisory
- http://www.debian.org/security/2013/dsa-2757
- http://codex.wordpress.org/Version_3.6.1Vendor Advisory
- http://core.trac.wordpress.org/changeset/25325ExploitPatch
- http://lists.fedoraproject.org/pipermail/package-announce/2013-September/116828.
- http://lists.fedoraproject.org/pipermail/package-announce/2013-September/116832.
- http://lists.fedoraproject.org/pipermail/package-announce/2013-September/117118.
- http://wordpress.org/news/2013/09/wordpress-3-6-1/PatchVendor Advisory
- http://www.debian.org/security/2013/dsa-2757
FAQ
What is CVE-2013-4338?
CVE-2013-4338 is a vulnerability with a CVSS score of 7.5 (HIGH). wp-includes/functions.php in WordPress before 3.6.1 does not properly determine whether data has been serialized, which allows remote attackers to execute arbitrary code by triggering erroneous PHP un...
How severe is CVE-2013-4338?
CVE-2013-4338 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2013-4338?
Check the references section above for vendor advisories and patch information. Affected products include: Wordpress Wordpress.