A SQL injection vulnerability in the “wp_untrash_post_comments” function in wp-includes/post.php in versions prior to 4.2.4 allows remote attackers to execute arbitrary SQL commands via a comment that is mishandled after retrieval from the trash.
“Bulletin (CVE-2015-2213).” US-CERT. Department of Homeland Security, 09 Nov. 2015. Web. 17 Nov. 2015. <https://www.us-cert.gov/ncas/bulletins/SB15-320>.