This expoit use multiple vulnerabilites in Openfire.
Openfire admin must visit exploit link.
Attacker can create new admin or change admin password.
But there is no real exploit code example except of the paid one.
Yes, the pending pull request addresses part of the documented vulnerability (XSS). I have reviewed it, and will merge it into the master before the 3.9.2 release is shipped.
Moving unfixed 3.9.2 issues to 3.9.3 for consideration.
cloned for the CSRF work