Cross-site scripting, also known as XSS is a web application vulnerability that allows attackers to inject malicious client-side script into web pages that are executed by the victims when they visit the vulnerable website. Attackers can use a cross-site scripting vulnerability to target logged in WordPress users and steal their browser or HTTP cookie. Once they steal the victim’s HTTP cookie and import it in their browser, the attackers can hijack the victim’s session.
Once the user session is hijacked the attackers can reset the victim’s password, allowing them to terminate the victim’s session and take control of the vulnerable WordPress blog or website. For more information on XSS read What is the Cross-site Scripting vulnerability?