Description
Cross-site scripting (XSS) vulnerability in wp-includes/pluggable.php in WordPress before 3.9.2, when Multisite is enabled, allows remote authenticated administrators to inject arbitrary web script or HTML, and obtain Super Admin privileges, via a crafted avatar URL.
Remediation
References
Related Vulnerabilities
PHP Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-7128)
Craft CMS Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2021-27903)
MySQL CVE-2016-0504 Vulnerability (CVE-2016-0504)
WordPress Plugin RapidLoad Power-Up for Autoptimize Multiple Vulnerabilities (1.7.1)