CVE-2015-3438

Name of the Vulnerable Software and Affected Versions WordPress versions prior to 4.1.2

Description The issue allows remote attackers to inject arbitrary web script or HTML via a crafted character in a comment, potentially affecting WordPress installations that use MySQL without strict mode. This can be achieved by injecting a four-byte UTF-8 character or an invalid character that reaches the database layer.

Recommendations For versions prior to 4.1.2, update to version 4.1.2 or later to resolve the issue. As a temporary workaround, consider restricting user input to prevent the injection of malicious characters.