Description
wp-admin/admin-functions.php in Wordpress before 2.2.3 and Wordpress multi-user (MU) before 1.2.5a does not properly verify the unfiltered_html privilege, which allows remote attackers to conduct cross-site scripting (XSS) attacks via modified data to (1) post.php or (2) page.php with a no_filter field.
Remediation
References
Related Vulnerabilities
PHP Permissions, Privileges, and Access Controls Vulnerability (CVE-2010-3065)
WordPress 5.6.x Multiple Vulnerabilities (5.6 - 5.6.12)
WordPress Plugin Delete All Comments Arbitrary File Upload (2.0)
Internet Information Services Other Vulnerability (CVE-1999-0233)
XWiki Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2023-40177)