Researchers have found a string of weaknesses in the WordPress default installation page, including PHP code execution and a persistent cross-site scripting flaw, affecting versions 3.3.1 and later. WordPress officials say that they re not planning to fix the vulnerabilities as there s only a small possibility of exploitation by attackers. The flaws were found by researchers at TrustWave’s SpiderLabs, and in their advisory on the WordPress bugs, they describe how attackers would be able to exploit them.
Source: https://threatpost.com/multiple-bugs-haunt-wordpress-setup-012512/76140/