MITRE reports:
wp-login.php in WordPress before 3.7.5, 3.8.x before
3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow
remote attackers to reset passwords by leveraging access to
an e-mail account that received a password-reset message.
wp-includes/http.php in WordPress before 3.7.5, 3.8.x
before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1
allows remote attackers to conduct server-side request
forgery (SSRF) attacks by referring to a 127.0.0.0/8
resource.
WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before
3.9.3, and 4.x before 4.0.1 might allow remote attackers to
obtain access to an account idle since 2008 by leveraging an
improper PHP dynamic type comparison for an MD5 hash.
Cross-site scripting (XSS) vulnerability in WordPress
before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and
4.x before 4.0.1 allows remote attackers to inject arbitrary
web script or HTML via a crafted Cascading Style Sheets
(CSS) token sequence in a post.
Cross-site scripting (XSS) vulnerability in Press This in
WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before
3.9.3, and 4.x before 4.0.1 allows remote attackers to
inject arbitrary web script or HTML via unspecified
vectors
wp-includes/class-phpass.php in WordPress before 3.7.5,
3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1
allows remote attackers to cause a denial of service (CPU
consumption) via a long password that is improperly handled
during hashing, a similar issue to CVE-2014-9016.
Cross-site request forgery (CSRF) vulnerability in
wp-login.php in WordPress 3.7.4, 3.8.4, 3.9.2, and 4.0
allows remote attackers to hijack the authentication of
arbitrary users for requests that reset passwords.