Description
A non-privileged user or program can put code and a config file in a known non-privileged path (under C:/usr/local/) that will make curl <= 7.65.1 automatically run the code (as an openssl "engine") on invocation. If that curl is invoked by a privileged user it can do anything it wants.
Remediation
References
Related Vulnerabilities
WordPress Plugin Analyticator Multiple Cross-Site Scripting Vulnerabilities (6.4.9.5)
WordPress Plugin MainWP Dashboard Cross-Site Scripting (3.1.2)
WordPress Plugin Duplicate Page Unspecified Vulnerability (3.5)
WordPress Plugin PictPress 'resize.php' Multiple Local File Include Vulnerabilities (1.0)
Drupal Improper Access Control Vulnerability (CVE-2015-2559)