- Remote shell injection in PHPMailer, which was basically something not wrapped in
escapeshellarg(). Unfortunately, PHPMailer seems to be no longer maintained, so looks like WordPress is going to have to maintain it, or switch to another library.
- Remote SQL injection in our XML-RPC implementation.
- An unescaped attribute in Kubrick’s
As always, it’s recommended you download it now.