Poor WordPress documentation trips developers, yields plug-ins with XSS flaw
Ambiguous WordPress documentation led many plug-in and theme developers to make an error that exposed websites to cross-site scripting (XSS) attacks.
The impact depends on the user’s role on the website. For example, if victims have administrative privileges, attackers could trigger rogue administrative actions. If victims are regular users, attackers could steal their authentication cookies and hijack their accounts.
The vulnerability stems from insecure use of two WordPress functions called add_query_arg and remove_query_arg and was discovered recently by researchers from code auditing company Scrutinizer.