Saddy

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 3.0.5 **Description** The issue allows remote authenticated users to inject arbitrary web script or HTML. This is achieved through various vectors, including the Quick/Bulk Edit title, post status, comment status, ping status, and improper escaping of tags within the tags meta box. **Recommendations** For versions prior to 3.0.5, update to version 3.0.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 3.0.5 **Description** The issue allows remote authenticated users to read draft or private posts by modifying the `attachment id` parameter in the media uploader. This is due to a flaw in the wp-admin/async-upload.php file. **Recommendations** For versions prior to 3.0.5, update to version 3.0.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the media uploader to minimize the risk of exploitation. Avoid using the modified `attachment id` parameter in the affected API endpoint until the issue is resolved.