An insufficient user input validation (of HTTP-Header: “Referer”) results in a persistent XSS in the WordPress admin-panel. An attacker may be able to access any cookies, session tokens or other sensitive information retained by the browser and used with that site.