Due to a lack of CSRF mitigation and entity encoding in the `portfolio_gallery_print_html_nav` function found on line 276 of `/includes/admin/portfolio-gallery-admin-functions.php`, it is possible to execute scripts in the context of an admin user.

Due to a lack of CSRF mitigation and entity encoding in the `ccf_insert` function found on line 118 of `include/ccf.php` and in the output generated by `template/datagrid.php`, it is possible to store and execute scripts in the context of an admin user.

Due to a lack of encoding and CSRF mitigation in the `test_email` function found on line 106 of `classes/class-wooctrl.php`, it is possible to automate a request to the AJAX handler for the `wooctrl_send_test_email` action which will reflect the specified script back to the end user.

Due to a lack of input sanitization in the `dwnldr.php` file, it is possible for unauthenticated users to utilise an XSS vector to store and run a script in the target user's browser and potentially compromise the WordPress installation.

Recently when doing some Ruby development using the Typhoeus and HTTParty gems with a Windows machine, I’ve found there are two issues that seem to appear out of the box near enough every time. Both these issues are easily resolved, but there are a lot of inappropriate solutions being suggested around the web (such as disabling SSL!?!).