Input appended to the URL after admin/components.php, admin/resetpassword.php, admin/settings.php, admin/support.php, admin/theme-edit.php, and admin/theme.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.

 

Details