One of the XSS vulnerabilities could be triggered via the plugin name or version header on update-core.php, another could be exploited via theme name fallback, according to the release notes.
One of the CSRF bugs, identified by Abdullah Hussam, an Iraqi security researcher who’s previously found bugs in Vine, Twitter, and Vimeo, could lead to a bypass if a specific Flash file was uploaded. Another CSRF bug, discovered by Danish developer Ronni Skansing, was tied to how WordPress handled accessibility mode in widget editing. Skansing has found several bugs in WordPress over the years. Last February he found a server side request forgery (SSRF) vulnerability in WordPress 4.4.1. An attacker could have exploited the bug by making it appear that the server was sending certain requests, possibly bypassing access controls.
Another issue in WordPress’ REST API could have exposed user data for any users who “authored a post of a public post type.” The issue, jointly uncovered by Brian Krogsgard, who runs the WordPress news site Post Status, and Chris Jean, a WordPress developer for iThemes, was fixed by limiting which posts are seen within the API.