WPML is the standard for creating multi-language WordPress sites.
The String Translation plugin allows to translate interface strings directly from within WordPress without having to use .mo files.
Header: x-xss-protection:1; mode=block
WPML String Translation 2.1.3
The vulnerability is an XSS in search field on addon WPML String Translation.
The vulnerabilities were found by Teofil Cojocariu.
The vendor was notified on May 20, 2015 and the patch was released on May 21, 2015 (version 2.1.4).