From: Markus Koschany <apo@debian.org>
Date: Fri, 16 Sep 2016 18:55:34 +0200
Subject: CVE-2016-6634

Cross-site scripting (XSS) vulnerability in the network settings page in
WordPress before 4.5 allows remote attackers to inject arbitrary web script or
HTML via unspecified vectors.

https://wpvulndb.com/vulnerabilities/8474
Origin: https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9
---
 wp-admin/network/settings.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/wp-admin/network/settings.php
+++ b/wp-admin/network/settings.php
@@ -272,7 +272,7 @@
 			<tr>
 				<th scope="row"><label for="first_comment_author"><?php _e( 'First Comment Author' ) ?></label></th>
 				<td>
-					<input type="text" size="40" name="first_comment_author" id="first_comment_author" value="<?php echo get_site_option('first_comment_author') ?>" />
+					<input type="text" size="40" name="first_comment_author" id="first_comment_author" value="<?php echo esc_attr( get_site_option('first_comment_author') ) ?>" />
 					<p class="description">
 						<?php _e( 'The author of the first comment on a new site.' ) ?>
 					</p>