---
title: "WordPress Vulnerabilities"
description: "Recently, new vulnerabilities affecting Wordpress have been identified. All customers who use WordPress are advised to upgrade to the latest version (3.5.2) immediately. You can view our full..."
url: https://www.inmotionhosting.com/support/edu/wordpress/wordpress-vulnerabilities/
date: 2013-07-03
modified: 2021-08-16
author: "InMotion Hosting Contributor"
categories: ["WordPress Hosting", "WordPress Tutorials"]
type: post
lang: en
---

# WordPress Vulnerabilities

Recently, new vulnerabilities affecting WordPress have been identified.

All customers who use WordPress are advised to upgrade to the latest version (3.5.2) immediately. You can view our full walk-through guide on [Updating WordPress](/support/edu/wordpress/update-wordpress-from-admin-dashboard/) here in our Support Center.

## Below is a list and explanation of the vulnerabilities:

- **CVE-2013-2173** A denial of service was found in the way wordpress performs hash computation when checking password for protected posts. An attacker supplying carefully crafted input as a password could make the platform use excessive CPU usage
- **CVE-2013-2199** Multiple server-side requests forgery (SSRF) vulnerabilities were found in the HTTP API. This is related to CVE-2013-0235, which was specific to SSRF in pingback requests and was fixed in 3.5.1
- **CVE-2013-2201** Multiple cross-side scripting (XSS) vulnerabilities due to badly escaped input were found in the media files and plugins upload forms
- **CVE-2013-2202** XML External Entity Injection (XXE) vulnerability via oEmbed responses
- **CVE-2013-2203** A Full path disclosure (FPD) was found in the file upload mechanism. If the upload directory is not writable, the error message returned includes the full directory path
- **CVE-2013-2203** A Full path disclosure (FPD) was found in the file upload mechanism. If the upload directory is not writable, the error message returned includes the full directory path
- **CVE-2013-2204** Content spoofing via flash applet in the embedded tinyMCE media plugin
- **CVE-2013-2205** Cross-domain XSS in the embedded SWFupload uploader

You can read the [Official WordPress Release notes](https://codex.wordpress.org/Version_3.5.2) regarding this latest update on WordPress.org.
