A critical XSS bug impacts WordPress sites running the Frontend File Manager plugin and allows remote unauthenticated users to inject JavaScript code to create admin user accounts.