Product: Wordpress-MU (multi-user)
Version: Versions prior to 2.6 are affected
Credits: Juan Galiana

Juan Galiana has published the advisory to Bugtraq this week which includes a proof of concept exploit.

Wordpress-MU is affected by a Cross Site Scripting vulnerability, an attacker can perform an XSS attack that allows him to access the
targeted user cookies to gain administrator privileges

In /wp-admin/wpmu-blogs.php an attacker can inject javascript code, the input variables “s” and “ip_address” of GET method aren’t properly sanitized

WordPress-MU were notified and version 2.6.1 addresses this issue. We recommend all users upgrade as soon as possible.