Vulnerability: Cross-site scripting WordPress Multisite Plugin Manager
Impact: Cross Site Scripting
Affected products: WordPress Multisite Plugin Manager 3.x
Affected versions: WordPress Multisite Plugin Manager 3.1.1, possibly earlier.
The vulnerability allows malicious people to conduct XSS attacks.
The vulnerability is caused due to insufficient input validation in the parameters “mass_activate” and “mass_deactivate” in script wp-admin/network/plugins.php (when the parameter “page” is “plugin-management”). This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
Manufacturer URL: http://wordpress.org/extend/plugins/multisite-plugin-manager/
Solution: Install the latest version 3.1.2 from the manufacturer.