Description
Input passed to the "User-Agent" header parameter it isn't properly sanitised before being returned to the user on 404 or 500 error. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Confirmed in version MX 7. Other versions may also be affected.
Remediation
Contact the vendor for further information.
References
Related Vulnerabilities
WordPress 4.5.x Arbitrary File Deletion Vulnerability (4.5 - 4.5.14)
Internet Information Services Unchecked Return Value Vulnerability (CVE-2005-4360)
WordPress Plugin Profile Builder-User Profile & User Registration Forms Privilege Escalation (2.4.0)
WordPress Plugin Nextend Facebook Connect Cross-Site Scripting (1.5.0)