Wordpress is vulnerable to multiple cross-site scripting (XSS) attack. The attack is vulnerable because wp-includes/class-wp-theme.php
does not filter the user-supplied web script or HTML through the (1) stylesheet name or (2) template name to wp-admin/customize.php
.
www.openwall.com/lists/oss-security/2016/01/08/4
codex.wordpress.org/Version_4.4.1
core.trac.wordpress.org/changeset/36185
hackerone.com/crtc4l?sort_type=latest_disclosable_activity_at&filter=type%3Aall%20from%3Acrtc4l&page=1&range=forever
wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/