Is there any way to get the WordPress community involved in actually
handling security issues properly? E.g. requesting CVE's, or heck,
I'll settle for being notified via email directly. I found out about
this stuff on Reddit (linked to Tony Perez's blog posting) so I read
the code and voila:

===============================================================

WP-Super-Cache XSS 1.3
Fixed in 1.3.1 with code changes like:
- -<form name="wp_manager" action="<?php echo $_SERVER[ "REQUEST_URI" ];
?>" method="post">
+<form name="wp_manager" action="" method="post">

Please use CVE-2013-2008 for this issue.

===============================================================

WP-Super-Cache 1.2 Remote Code Execution
Fixed in 1.3:
+2013-04-11 10:39  donncha
+
+       * wp-cache.php: Remove mfunc, mclude and dynamic-cached-content
+         tags from comments. Props Frank Goossen
+
(http://blog.futtta.be/2013/04/10/wp-safer-cache-stopgap-for-wordpress-cache-plugins-vulnerability/)
+         and kisscsaby
+         (http://wordpress.org/support/topic/pwn3d?replies=6)

http://blog.sucuri.net/2013/04/update-wp-super-cache-and-w3tc-immediately-remote-code-execution-vulnerability-disclosed.html

To test leave a comment like: <!?mfunc echo PHP_VERSION; ?><!?/mfunc?>

To fix it they added a mfunc filter in wp-super-cache-1.3/wp-cache.php:

+add_filter( 'preprocess_comment','no_mfunc_in_comments' );
+add_filter( 'comment_text','no_mfunc_in_comments' );
+add_filter( 'comment_excerpt','no_mfunc_in_comments' );
+add_filter( 'comment_text_rss','no_mfunc_in_comments' );

Please use CVE-2013-2009 for this issue.