CVE-2013-5739 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5739): The default configuration of WordPress before 3.6.1 does not prevent uploads of .swf and .exe files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file, related to the get_allowed_mime_types function in wp-includes/functions.php. CVE-2013-5738 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5738): The get_allowed_mime_types function in wp-includes/functions.php in WordPress before 3.6.1 does not require the unfiltered_html capability for uploads of .htm and .html files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file. Awaiting cleanup.
Ping! Maintainer(s), please drop the vulnerable version.
All done by radhermit. Closed as [noglsa]