From http://1337day.com/exploits/21338:
This expoit use multiple vulnerabilites in Openfire.
Openfire admin must visit exploit link.
Attacker can create new admin or change admin password.
But there is no real exploit code example except of the paid one.
Yes, the pending pull request addresses part of the documented vulnerability (XSS). I have reviewed it, and will merge it into the master before the 3.9.2 release is shipped.
FYI related to WIP on admin console CSRF vulnerabilities: http://community.igniterealtime.org/message/238263
This issue is partially resolved (XSS vulnerabilities) with the merge of pull request #1 into master.
A fix for the CSRF vulnerabilities is still pending.
Moving unfixed 3.9.2 issues to 3.9.3 for consideration.
cloned for the CSRF work