This vulnerability has been discovered and reported by Carl Clegg (carl(at)cjc(dot)im)
This plugin adds a text editor area to each User Profile in the dashboard for Administrators to keep private notes about each User.
$notes = (!empty($_POST['user_notes_note']))?stripslashes($_POST['user_notes_note']):''; update_user_meta($user_id, 'user-notes-note', $notes);
<script> tags is enough to execute code in the context of other administrators.
Disable the plugin until an upgrade is available
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.