The get_allowed_mime_types function in wp-includes/functions.php in
WordPress before 3.6.1 does not require the unfiltered_html capability for
uploads of .htm and .html files, which might make it easier for remote
authenticated users to conduct cross-site scripting (XSS) attacks via a
crafted file.