Launchpad.net

CVE 2016-10964

The dwnldr plugin before 1.01 for WordPress has XSS via the User-Agent HTTP header.

See the CVE page on Mitre.org for more details.