In the default configuration, after JBoss is installed, the JMX console is available at http://localhost:8080/jmx-console. The JMX console can be used to display the JNDI tree, dump the list of threads, redeploy an application or even shutdown the application server. By default, the console is not secured and can be used by remote attackers. Check References for detailed information.
It's possible to access the BSHDeployer MBean. The BSHDeployer MBean allows the deployment of BeanShell scripts. They are automatically executed once after installation.
Restrict access to JMX Management Console.
WordPress Plugin GlotPress Information Disclosure (2.2.1)
Joomla! Core 2.5.x Information Disclosure (2.5.0 - 2.5.4)
WordPress Plugin WooCommerce Information Disclosure (4.5.2)
JBoss JMX Console Unrestricted Access
WordPress Plugin Paid Memberships Pro-Restrict Member Access to Content, Courses, Communities-Free or Paid Subscriptions Information Disclosure (2.5.2)