wp-admin/includes/post.php in WordPress before 3.6.1 allows remote authenticated users to spoof the authorship of a post by leveraging the Author role and providing a modified user_ID parameter. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. Public exploit code available.
The default configuration of WordPress before 3.6.1 does not prevent uploads of .swf and .exe files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS). Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. Public exploit code available.
Phpbb3 before 3.0.11-4 for Debian GNU/Linux uses world-writable permissions for cache files, which allows local users to modify the file contents via standard filesystem write operations. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity. No vendor patch available.