You would not expect such vulnerability at a security researcher's blog CMS!

Where we have found this? @-https://krebsonsecurity.com/

Outdated WordPress version. Outdated plug-in: w3-total-cache 0.9.5.4 latest release (0.12.0)
Wordpress - 5.0.4
7.5
WPVDB-ID:10004
WordPress <= 5.3 - wp_kses_bad_protocol() Colon Bypass
7.5
WPVDB-ID:9912
WordPress <= 5.2.3 - Server-Side Request Forgery (SSRF) in URL Validation
7.5
WPVDB-ID:9913
WordPress <= 5.2.3 - Admin Referrer Validation
6.8
WPVDB-ID:9230
WordPress 3.9-5.1 - Comment Cross-Site Scripting (XSS)
6.8
WPVDB-ID:9863
WordPress 5.2.2 - Potential Open Redirect
5.8
WPVDB-ID:9973
WordPress <= 5.3 - Improper Access Controls in REST API
5
WPVDB-ID:9911
WordPress <= 5.2.3 - JSON Request Cache Poisoning
5
WPVDB-ID:9909
WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts
5
WPVDB-ID:9910
WordPress <= 5.2.3 - Stored XSS in Style Tags
4.3
WPVDB-ID:9865
WordPress 5.2.2 - Cross-Site Scripting (XSS) in Dashboard
4.3
WPVDB-ID:9975
WordPress <= 5.3 - Stored XSS via Crafted Links
4.3
WPVDB-ID:9861
WordPress 5.2.2 - Cross-Site Scripting (XSS) in Stored Comments
4.3
WPVDB-ID:9864
WordPress 5.0-5.2.2 - Authenticated Stored XSS in Shortcode Previews
4.3
WPVDB-ID:9867
WordPress <= 5.2.2 - Cross-Site Scripting (XSS) in URL Sanitisation
4.3
WPVDB-ID:9862
WordPress 5.2.2 - Authenticated Cross-Site Scripting (XSS) in Post Previews
3.5
WPVDB-ID:9976
WordPress <= 5.3 - Stored XSS via Block Editor Content
0
WPVDB-ID:9908
WordPress <= 5.2.3 - Stored XSS in Customizer
0

Retirable jQuery library: jquery 1.12.4 Found in -https://krebsonsecurity.com/wp-includes/js/jquery/jquery.js?ver=1.12.4
Vulnerability info:
Medium 3rd party CORS request may execute CVE-2015-9251
Medium CVE-2015-9251 11974 parseHTML() executes scripts in event handlers
Low CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution

Various security headers not being set.

See recommendations found through linting: https://webhint.io/scanner/8d741f00-db31-41a9-ba4b-2ec1123e157f

You would not expect this from Brian Krebs and associates, and those responsible for this his website security website…

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)