http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1732 "** DISPUTED ** Cross-site scripting (XSS) vulnerability in an mt import in wp-admin/admin.php in WordPress 2.1.2 allows remote authenticated administrators to inject arbitrary web script or HTML via the demo parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: another researcher disputes this issue, stating that this is legitimate functionality for administrators. However, it has been patched by at least one vendor." Posted for maintainer assessment whether this is a feature or a bug, and whether it affects current FE releases. FWIW, Gentoo has patched it.
This looks to me like a valid feature - it requires authentication and willing interaction on the part of the authenticated individual to exploit. I can't really call someone who knowingly and willingly uses such a feature a "victim". Although I can see where some would consider this a bug, I don't. If someone can point out a scheme whereby this would be a problem, I'm willing to be convinced otherwise, but until then, CLOSED-NOTABUG
Just some general data points for consideration, I'm not necessarily disagreeing with comment 1: Missing/ineffective cross site request forgery preventation measures would invalidate the "knowing/willing" assumption. But if I understand correctly, Wordpress's admin UI has that protection. Requiring authentication and willing interaction doesn't IMO make this a feature if the goal was not to provide a possibility for injection of arbitrary markup or scripts; it just affects the attack vectors.