Flaws in the live editor and action_builder_content functions of the plugin “allow attackers to forge requests on behalf of a site administrator and execute malicious code in the administrator’s browser. The attacker needs to trick a site administrator into executing an action, like clicking a link or an attachment, for the attack to succeed.”
Live Editor (will add new administrative user): action_builder_content: