WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php.
WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed.
WordPress before 5.5.2 allows XSS associated with global variables.
WordPress before 5.5.2 allows attackers to gain privileges via XML-RPC.
Dr.Fone 3.0.0 allows local users to gain privileges via a Trojan horse DriverInstall.exe because %PROGRAMFILES(X86)%Wondersharedr.foneLibraryDriverInstaller has Full Control for BUILTINUsers.
is_blog_installed in wp-includes/functions.php in WordPress before 5.5.2 improperly determines whether WordPress is already installed, which might allow an attacker to perform a new installation, leading to remote code execution (as well as a denial of service for the old installation).
wp-includes/class-wp-xmlrpc-server.php in WordPress before 5.5.2 allows attackers to gain privileges by using XML-RPC to comment on a post.
A vulnerability exists in the Origin Client that could allow a non-Administrative user to elevate their access to either Administrator or System. Once the user has obtained elevated access, they may be able to take control of the system and perform actions otherwise reserved for high privileged users or system Administrators.
IceWarp 184.108.40.206 allows XSS via the language parameter.