Description
The comment_form_add_preview function in comment.module in Drupal before 4.7.6, and 5.x before 5.1, and vbDrupal, allows remote attackers with "post comments" privileges and access to multiple input filters to execute arbitrary code by previewing comments, which are not processed by "normal form validation routines."
Remediation
References
Related Vulnerabilities
WordPress Plugin Shopping Cart & eCommerce Store Arbitrary File Upload (3.0.8)
PHP Resource Management Errors Vulnerability (CVE-2015-4024)
WordPress Plugin Import Legacy Media Cross-Site Scripting (0.1)
WordPress Plugin Product Reviews Import Export for WooCommerce Cross-Site Request Forgery (1.3.2)