Description
Cross-site scripting (XSS) vulnerability in wp-includes/pluggable.php in WordPress before 3.9.2, when Multisite is enabled, allows remote authenticated administrators to inject arbitrary web script or HTML, and obtain Super Admin privileges, via a crafted avatar URL.
Remediation
References
Related Vulnerabilities
MySQL Other Vulnerability (CVE-2003-0150)
WordPress Plugin Delete All Comments Easily Cross-Site Request Forgery (1.3)
WordPress Plugin Advanced Access Manager Cross-Site Scripting (6.7.9)
PHP Other Vulnerability (CVE-2015-8876)
Apache Tomcat Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2015-5351)