{"url":"http://public2.vulnerablecode.io/api/packages/135294?format=json","purl":"pkg:deb/debian/wordpress@3.5.2%2Bdfsg-1?distro=trixie","type":"deb","namespace":"debian","name":"wordpress","version":"3.5.2+dfsg-1","qualifiers":{"distro":"trixie"},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"3.6.1+dfsg-1","latest_non_vulnerable_version":"6.9.4+dfsg1-1","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/105705?format=json","vulnerability_id":"VCID-16mq-7crg-vkgk","summary":"wp-includes/class-phpass.php in WordPress 3.5.1, when a password-protected post exists, allows remote attackers to cause a denial of service (CPU consumption) via a crafted value of a certain wp-postpass cookie.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-2173","reference_id":"","reference_type":"","scores":[{"value":"0.01677","scoring_system":"epss","scoring_elements":"0.82501","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01677","scoring_system":"epss","scoring_elements":"0.82529","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-2173"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2173","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2173"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2199","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2199"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2200","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2200"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2201","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2201"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2202","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2202"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2203","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2203"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2204","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2204"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2205","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2205"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=713947","reference_id":"713947","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=713947"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/135294?format=json","purl":"pkg:deb/debian/wordpress@3.5.2%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@3.5.2%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/135230?format=json","purl":"pkg:deb/debian/wordpress@5.7.11%2Bdfsg1-0%2Bdeb11u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-eg3u-uaqx-m7f2"},{"vulnerability":"VCID-sjsv-4uy2-aqct"},{"vulnerability":"VCID-v95d-ak24-uqbz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@5.7.11%252Bdfsg1-0%252Bdeb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/135228?format=json","purl":"pkg:deb/debian/wordpress@6.1.9%2Bdfsg1-0%2Bdeb12u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-sjsv-4uy2-aqct"},{"vulnerability":"VCID-v95d-ak24-uqbz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@6.1.9%252Bdfsg1-0%252Bdeb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/135232?format=json","purl":"pkg:deb/debian/wordpress@6.8.3%2Bdfsg1-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@6.8.3%252Bdfsg1-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/135231?format=json","purl":"pkg:deb/debian/wordpress@6.9.4%2Bdfsg1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@6.9.4%252Bdfsg1-1%3Fdistro=trixie"}],"aliases":["CVE-2013-2173"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-16mq-7crg-vkgk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/105706?format=json","vulnerability_id":"VCID-bt4p-ytpr-yybc","summary":"The HTTP API in WordPress before 3.5.2 allows remote attackers to send HTTP requests to intranet servers via unspecified vectors, related to a Server-Side Request Forgery (SSRF) issue, a similar vulnerability to CVE-2013-0235.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-2199","reference_id":"","reference_type":"","scores":[{"value":"0.00831","scoring_system":"epss","scoring_elements":"0.74919","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00831","scoring_system":"epss","scoring_elements":"0.74947","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-2199"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2173","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2173"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2199","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2199"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2200","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2200"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2201","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2201"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2202","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2202"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2203","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2203"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2204","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2204"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2205","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2205"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=713947","reference_id":"713947","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=713947"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/135294?format=json","purl":"pkg:deb/debian/wordpress@3.5.2%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@3.5.2%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/135230?format=json","purl":"pkg:deb/debian/wordpress@5.7.11%2Bdfsg1-0%2Bdeb11u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-eg3u-uaqx-m7f2"},{"vulnerability":"VCID-sjsv-4uy2-aqct"},{"vulnerability":"VCID-v95d-ak24-uqbz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@5.7.11%252Bdfsg1-0%252Bdeb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/135228?format=json","purl":"pkg:deb/debian/wordpress@6.1.9%2Bdfsg1-0%2Bdeb12u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-sjsv-4uy2-aqct"},{"vulnerability":"VCID-v95d-ak24-uqbz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@6.1.9%252Bdfsg1-0%252Bdeb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/135232?format=json","purl":"pkg:deb/debian/wordpress@6.8.3%2Bdfsg1-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@6.8.3%252Bdfsg1-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/135231?format=json","purl":"pkg:deb/debian/wordpress@6.9.4%2Bdfsg1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@6.9.4%252Bdfsg1-1%3Fdistro=trixie"}],"aliases":["CVE-2013-2199"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bt4p-ytpr-yybc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/105711?format=json","vulnerability_id":"VCID-cm72-619e-yqf2","summary":"moxieplayer.as in Moxiecode moxieplayer, as used in the TinyMCE Media plugin in WordPress before 3.5.2 and other products, does not consider the presence of a # (pound sign) character during extraction of the QUERY_STRING, which allows remote attackers to pass arbitrary parameters to a Flash application, and conduct content-spoofing attacks, via a crafted string after a ? (question mark) character.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-2204","reference_id":"","reference_type":"","scores":[{"value":"0.00658","scoring_system":"epss","scoring_elements":"0.71439","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00658","scoring_system":"epss","scoring_elements":"0.71483","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-2204"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2173","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2173"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2199","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2199"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2200","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2200"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2201","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2201"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2202","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2202"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2203","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2203"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2204","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2204"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2205","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2205"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=713947","reference_id":"713947","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=713947"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/135294?format=json","purl":"pkg:deb/debian/wordpress@3.5.2%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@3.5.2%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/135230?format=json","purl":"pkg:deb/debian/wordpress@5.7.11%2Bdfsg1-0%2Bdeb11u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-eg3u-uaqx-m7f2"},{"vulnerability":"VCID-sjsv-4uy2-aqct"},{"vulnerability":"VCID-v95d-ak24-uqbz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@5.7.11%252Bdfsg1-0%252Bdeb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/135228?format=json","purl":"pkg:deb/debian/wordpress@6.1.9%2Bdfsg1-0%2Bdeb12u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-sjsv-4uy2-aqct"},{"vulnerability":"VCID-v95d-ak24-uqbz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@6.1.9%252Bdfsg1-0%252Bdeb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/135232?format=json","purl":"pkg:deb/debian/wordpress@6.8.3%2Bdfsg1-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@6.8.3%252Bdfsg1-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/135231?format=json","purl":"pkg:deb/debian/wordpress@6.9.4%2Bdfsg1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@6.9.4%252Bdfsg1-1%3Fdistro=trixie"}],"aliases":["CVE-2013-2204"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cm72-619e-yqf2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/105709?format=json","vulnerability_id":"VCID-m2ra-q2uw-rucx","summary":"WordPress before 3.5.2 allows remote attackers to read arbitrary files via an oEmbed XML provider response containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-2202","reference_id":"","reference_type":"","scores":[{"value":"0.01357","scoring_system":"epss","scoring_elements":"0.80477","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01357","scoring_system":"epss","scoring_elements":"0.80503","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-2202"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2173","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2173"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2199","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2199"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2200","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2200"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2201","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2201"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2202","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2202"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2203","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2203"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2204","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2204"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2205","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2205"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=713947","reference_id":"713947","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=713947"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/135294?format=json","purl":"pkg:deb/debian/wordpress@3.5.2%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@3.5.2%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/135230?format=json","purl":"pkg:deb/debian/wordpress@5.7.11%2Bdfsg1-0%2Bdeb11u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-eg3u-uaqx-m7f2"},{"vulnerability":"VCID-sjsv-4uy2-aqct"},{"vulnerability":"VCID-v95d-ak24-uqbz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@5.7.11%252Bdfsg1-0%252Bdeb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/135228?format=json","purl":"pkg:deb/debian/wordpress@6.1.9%2Bdfsg1-0%2Bdeb12u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-sjsv-4uy2-aqct"},{"vulnerability":"VCID-v95d-ak24-uqbz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@6.1.9%252Bdfsg1-0%252Bdeb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/135232?format=json","purl":"pkg:deb/debian/wordpress@6.8.3%2Bdfsg1-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@6.8.3%252Bdfsg1-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/135231?format=json","purl":"pkg:deb/debian/wordpress@6.9.4%2Bdfsg1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@6.9.4%252Bdfsg1-1%3Fdistro=trixie"}],"aliases":["CVE-2013-2202"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-m2ra-q2uw-rucx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/105712?format=json","vulnerability_id":"VCID-ny71-e7za-8qex","summary":"The default configuration of SWFUpload in WordPress before 3.5.2 has an unrestrictive security.allowDomain setting, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via a crafted web site.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-2205","reference_id":"","reference_type":"","scores":[{"value":"0.0059","scoring_system":"epss","scoring_elements":"0.69569","published_at":"2026-06-04T12:55:00Z"},{"value":"0.0059","scoring_system":"epss","scoring_elements":"0.69608","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-2205"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2173","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2173"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2199","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2199"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2200","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2200"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2201","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2201"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2202","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2202"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2203","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2203"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2204","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2204"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2205","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2205"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=713947","reference_id":"713947","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=713947"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/135294?format=json","purl":"pkg:deb/debian/wordpress@3.5.2%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@3.5.2%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/135230?format=json","purl":"pkg:deb/debian/wordpress@5.7.11%2Bdfsg1-0%2Bdeb11u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-eg3u-uaqx-m7f2"},{"vulnerability":"VCID-sjsv-4uy2-aqct"},{"vulnerability":"VCID-v95d-ak24-uqbz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@5.7.11%252Bdfsg1-0%252Bdeb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/135228?format=json","purl":"pkg:deb/debian/wordpress@6.1.9%2Bdfsg1-0%2Bdeb12u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-sjsv-4uy2-aqct"},{"vulnerability":"VCID-v95d-ak24-uqbz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@6.1.9%252Bdfsg1-0%252Bdeb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/135232?format=json","purl":"pkg:deb/debian/wordpress@6.8.3%2Bdfsg1-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@6.8.3%252Bdfsg1-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/135231?format=json","purl":"pkg:deb/debian/wordpress@6.9.4%2Bdfsg1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@6.9.4%252Bdfsg1-1%3Fdistro=trixie"}],"aliases":["CVE-2013-2205"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ny71-e7za-8qex"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/105708?format=json","vulnerability_id":"VCID-v19k-3uep-33bu","summary":"Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.5.2 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) uploads of media files, (2) editing of media files, (3) installation of plugins, (4) updates to plugins, (5) installation of themes, or (6) updates to themes.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-2201","reference_id":"","reference_type":"","scores":[{"value":"0.00749","scoring_system":"epss","scoring_elements":"0.73491","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00749","scoring_system":"epss","scoring_elements":"0.73527","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-2201"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2173","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2173"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2199","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2199"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2200","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2200"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2201","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2201"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2202","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2202"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2203","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2203"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2204","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2204"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2205","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2205"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=713947","reference_id":"713947","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=713947"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/135294?format=json","purl":"pkg:deb/debian/wordpress@3.5.2%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@3.5.2%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/135230?format=json","purl":"pkg:deb/debian/wordpress@5.7.11%2Bdfsg1-0%2Bdeb11u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-eg3u-uaqx-m7f2"},{"vulnerability":"VCID-sjsv-4uy2-aqct"},{"vulnerability":"VCID-v95d-ak24-uqbz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@5.7.11%252Bdfsg1-0%252Bdeb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/135228?format=json","purl":"pkg:deb/debian/wordpress@6.1.9%2Bdfsg1-0%2Bdeb12u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-sjsv-4uy2-aqct"},{"vulnerability":"VCID-v95d-ak24-uqbz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@6.1.9%252Bdfsg1-0%252Bdeb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/135232?format=json","purl":"pkg:deb/debian/wordpress@6.8.3%2Bdfsg1-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@6.8.3%252Bdfsg1-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/135231?format=json","purl":"pkg:deb/debian/wordpress@6.9.4%2Bdfsg1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@6.9.4%252Bdfsg1-1%3Fdistro=trixie"}],"aliases":["CVE-2013-2201"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-v19k-3uep-33bu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/105707?format=json","vulnerability_id":"VCID-xz87-8yau-q3cq","summary":"WordPress before 3.5.2 does not properly check the capabilities of roles, which allows remote authenticated users to bypass intended restrictions on publishing and authorship reassignment via unspecified vectors.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-2200","reference_id":"","reference_type":"","scores":[{"value":"0.01395","scoring_system":"epss","scoring_elements":"0.8073","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01395","scoring_system":"epss","scoring_elements":"0.80757","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-2200"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2173","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2173"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2199","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2199"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2200","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2200"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2201","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2201"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2202","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2202"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2203","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2203"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2204","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2204"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2205","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2205"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=713947","reference_id":"713947","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=713947"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/135294?format=json","purl":"pkg:deb/debian/wordpress@3.5.2%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@3.5.2%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/135230?format=json","purl":"pkg:deb/debian/wordpress@5.7.11%2Bdfsg1-0%2Bdeb11u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-eg3u-uaqx-m7f2"},{"vulnerability":"VCID-sjsv-4uy2-aqct"},{"vulnerability":"VCID-v95d-ak24-uqbz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@5.7.11%252Bdfsg1-0%252Bdeb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/135228?format=json","purl":"pkg:deb/debian/wordpress@6.1.9%2Bdfsg1-0%2Bdeb12u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-sjsv-4uy2-aqct"},{"vulnerability":"VCID-v95d-ak24-uqbz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@6.1.9%252Bdfsg1-0%252Bdeb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/135232?format=json","purl":"pkg:deb/debian/wordpress@6.8.3%2Bdfsg1-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@6.8.3%252Bdfsg1-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/135231?format=json","purl":"pkg:deb/debian/wordpress@6.9.4%2Bdfsg1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@6.9.4%252Bdfsg1-1%3Fdistro=trixie"}],"aliases":["CVE-2013-2200"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xz87-8yau-q3cq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/105710?format=json","vulnerability_id":"VCID-zmgt-3fur-vbdg","summary":"WordPress before 3.5.2, when the uploads directory forbids write access, allows remote attackers to obtain sensitive information via an invalid upload request, which reveals the absolute path in an XMLHttpRequest error message.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-2203","reference_id":"","reference_type":"","scores":[{"value":"0.00901","scoring_system":"epss","scoring_elements":"0.76067","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00901","scoring_system":"epss","scoring_elements":"0.76092","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-2203"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2173","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2173"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2199","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2199"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2200","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2200"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2201","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2201"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2202","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2202"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2203","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2203"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2204","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2204"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2205","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2205"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=713947","reference_id":"713947","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=713947"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/135294?format=json","purl":"pkg:deb/debian/wordpress@3.5.2%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@3.5.2%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/135230?format=json","purl":"pkg:deb/debian/wordpress@5.7.11%2Bdfsg1-0%2Bdeb11u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-eg3u-uaqx-m7f2"},{"vulnerability":"VCID-sjsv-4uy2-aqct"},{"vulnerability":"VCID-v95d-ak24-uqbz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@5.7.11%252Bdfsg1-0%252Bdeb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/135228?format=json","purl":"pkg:deb/debian/wordpress@6.1.9%2Bdfsg1-0%2Bdeb12u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-sjsv-4uy2-aqct"},{"vulnerability":"VCID-v95d-ak24-uqbz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@6.1.9%252Bdfsg1-0%252Bdeb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/135232?format=json","purl":"pkg:deb/debian/wordpress@6.8.3%2Bdfsg1-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@6.8.3%252Bdfsg1-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/135231?format=json","purl":"pkg:deb/debian/wordpress@6.9.4%2Bdfsg1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@6.9.4%252Bdfsg1-1%3Fdistro=trixie"}],"aliases":["CVE-2013-2203"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zmgt-3fur-vbdg"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@3.5.2%252Bdfsg-1%3Fdistro=trixie"}