A cross-site-scripting vulnerability has been discovered in the login form of the Shibboleth identity provider module for Wordpress.