http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6808 "Cross-site scripting (XSS) vulnerability in wp-admin/templates.php in WordPress 2.0.5 allows remote attackers to inject arbitrary web script or HTML via the file parameter." All FE4+ releases affected. This is supposedly fixed in 2.0.6, but it looks like it hasn't been released yet. Patch at http://trac.wordpress.org/changeset/4665
updated to 2.1-0