Before WordPress 4.9.5, the version string was not escaped in the getthegenerator function, and could lead to XSS in a generator tag.
{ "binaries": [ { "binary_version": "4.4.2+dfsg-1ubuntu1", "binary_name": "wordpress" }, { "binary_version": "4.4.2+dfsg-1ubuntu1", "binary_name": "wordpress-l10n" }, { "binary_version": "4.4.2+dfsg-1ubuntu1", "binary_name": "wordpress-theme-twentyfifteen" }, { "binary_version": "4.4.2+dfsg-1ubuntu1", "binary_name": "wordpress-theme-twentyfourteen" }, { "binary_version": "4.4.2+dfsg-1ubuntu1", "binary_name": "wordpress-theme-twentysixteen" } ] }