WordPress does not properly filter comment content, leading to remote code execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because search engine optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php.
Cross site scripting
The vulnerability is reported in versions prior to 5.1.1.
Update to version 5.1.1.