I've quoted the Cisco summary below as it's pretty accurate.
tl;dr is an admin user on the web console can gain command execution
and then escalate to root. If this is an issue in your environment,
then please patch.
Thanks to Cisco PSIRT who were responsive and professional.
Shouts to Andrew,
BT Wifi Extenders - 300, 600 and 1200 models - Cross Site Scripting
leading to disclosure of PSK.
A firmware update is required to resolve this issue.
The essential problem is that if you hit the following URL on your
wifi extender, it will pop up a whole load of private data, including
your