A brief, high level overview on how to do this, I will post a much more detailed version later.
1. Identify there is a security vulnerability by googling "<application name> vulnerability"
Ex: Wordpress 3.0 vulnerability
This will identify most known vulnerabilities.
2. Find out which version above your current installed version the patch exists in. Generally, if it's a significant vulnerability it is patched in the next version or after a public disclosure of the vulnerability.
3. Download the version which includes the patch/update.
4. DIFF between your current version and the patched version.
This will show you the code which has changed between them. It requires you to think logically where this code may be (in a functions file, an include, an update module etc) as there may be a lot of code that has been modified between the two.
XSS - Generally a search for any sanitization function or function that grabs parameters (get params etc) or htmlentities, htmlspecialcahrs,strip_tags in the patched version which aren't included in the previous version will help identify where the patch most likely is located.
SQL - Same basic idea as XSS but you want to look for "INSERT" "UPDATE" etc, anything related to a DB insert or update as well as any sanitization function or function that grabs parameters.
Remote Code Execution - You want to search the new version for EVAL, SYSTEM, ASSERT, EXEC. Anything that can invoke a system call. Sometimes these will be replaced by completely new functions so you may want to check the vulnerable version as well in case it was removed/replaced.
We will go into much more detail in a future update.