WordPress - Privileges Unchecked in admin.php and Multiple Information

This WordPress vulnerability was found in the way that WordPress handles some URL
requests. It results the content of plugins configuration pages in some plugins modifying plugin options, unprivileged users viewing and injecting JavaScript code.
The code is abitrary and it may be run by a malicious attacker, if the administrator of the blog runs injected JavasScript code that edits blog’s PHP code. Most of all the blogs that are powered by WordPress and hosted outside “WordPress.com”, let any person to create unprivileged users that are called subscribers.
Also, there disclosure of important username’s information were found in WordPress.

Solution

           A vulnerability may be mitigated by controlling access to file that is inside the "wp-admin" folder. It can be done by using Apache access control mechanism, in other words, ".htaccess" file.