CVE-2012-2403
wp-includes/formatting.php in WordPress before 3.3.2 attempts to enable clickable links inside attributes, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors.
Date published : 2012-04-21
http://www.securityfocus.com/bid/53192
http://core.trac.wordpress.org/changeset/20493/branches/3.3/wp-includes/capabilities.php