Crtc4L

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 4.4.1 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via a stylesheet name or template name to the "/wp-admin/customize.php" API endpoint. This can be achieved by manipulating the `stylesheet name` or `template name` variables. **Recommendations** For versions prior to 4.4.1, update to version 4.4.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/wp-admin/customize.php" endpoint until the update is applied. Avoid using potentially malicious stylesheet names or template names in the affected endpoint until the issue is resolved.