WordPress - Privileges Unchecked in admin.php and Multiple Information
This WordPress vulnerability was found in the way that WordPress handles some URL
The code is abitrary and it may be run by a malicious attacker, if the administrator of the blog runs injected JavasScript code that edits blog's PHP code. Most of all the blogs that are powered by WordPress and hosted outside "WordPress.com", let any person to create unprivileged users that are called subscribers.
Also, there disclosure of important username's information were found in WordPress.
A vulnerability may be mitigated by controlling access to file that is inside the "wp-admin" folder. It can be done by using Apache access control mechanism, in other words, ".htaccess" file.