A vulnerability has been discovered in the WordFence plugin for WordPress, which can be exploited by malicious people to conduct script insertion attacks.
Input passed via the "User-Agent" HTTP header is not properly sanitized before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a administrator's browser session in context of an affected site when the malicious data is being viewed.
The vulnerability is confirmed in version 3.8.6.
http://secunia.com/advisories/56558/