A collection of some of the the vulns in wp 3.6
mentioned about it earlier here
here is a recorded video of it
posted an persistent xss located in the first name field of the 9gag users’ a few years back during 2012. Simply edit the html of maxchar to bypass the char limit and insert in attacking vectors.
Somehow the xss is now patched on late 2013.
However, the xsrf still works. If anyone can find an xss vulnerability then they could use that with xsrf to take over a user account by changing the main email.