Maintainer of www/plone, Multiple security advisories have been posted for issues in Plone. http://www.openwall.com/lists/oss-security/2015/09/19/2 http://www.openwall.com/lists/oss-security/2015/09/19/3 http://www.openwall.com/lists/oss-security/2015/09/19/4 http://www.openwall.com/lists/oss-security/2015/09/19/5 I haven't looked into these further but it looks like these issues will need VuXML and an update to the port.
A commit references this bug: Author: junovitch Date: Mon Oct 5 03:09:25 UTC 2015 New revision: 398628 URL: https://svnweb.freebsd.org/changeset/ports/398628 Log: Document 20150910 Plone advisories PR: 203255 Security: 6b3374d4-6b0b-11e5-9909-002590263bf5 Changes: head/security/vuxml/vuln.xml
The first two are for the current version of Plone. The second two are for Plone 3 or 4.2.x. There are immediate action steps for the end user in the advisory for the self-registration feature and the end user can patch their local instance or disable the vulnerable feature. However as the XSS feature did not have a hotfix patch I felt it would be prudent to just document 4.3.7 as fixed.
Plone was just updated to 4.3.7. Thank you for the vuxml entry, Jason.