These vulnerabilities allow an attacker to inject arbitrary web script or HTML via the
- ga_downloads_prefix
- ga_downloads
- ga_adsense
- ga_admin_disable_DimentionIndex
- ga_outbound_prefix parameter in the google-analyticator page to wp-admin/admin.php.
Solution
Update the plugin.