Maintainer of www/plone,
Multiple security advisories have been posted for issues in Plone.
I haven't looked into these further but it looks like these issues will need VuXML and an update to the port.
A commit references this bug:
Date: Mon Oct 5 03:09:25 UTC 2015
New revision: 398628
Document 20150910 Plone advisories
The first two are for the current version of Plone. The second two are for Plone 3 or 4.2.x.
There are immediate action steps for the end user in the advisory for the self-registration feature and the end user can patch their local instance or disable the vulnerable feature. However as the XSS feature did not have a hotfix patch I felt it would be prudent to just document 4.3.7 as fixed.
Plone was just updated to 4.3.7. Thank you for the vuxml entry, Jason.