An insufficient user input validation (of HTTP-Header: βRefererβ) results in a persistent XSS in the WordPress admin-panel. An attacker may be able to access any cookies, session tokens or other sensitive information retained by the browser and used with that site.