Jouko Pynnönen, a security researcher at Klikki Oy, who reported the issue described it as:
“If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors.
Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.”
WordPress’ official statement on the security issue:
“The WordPress team was made aware of a XSS issue a few hours ago that we will release an update for shortly. It is a core issue, but the number of sites vulnerable is much smaller than you may think because the vast majority of WordPress-powered sites run Akismet, which blocks this attack. When the fix is tested and ready in the coming hours WordPress users will receive an auto-update and should be safe and protected even if they don’t use Akismet.”
This particular vulnerability is similar to the one reported by Cedric Van Bockhaven which was patched in the WordPress 4.1.2 security release.
Unfortunately, they did not use proper security disclosure and rather posted the exploit publicly on their site. This means that those who do not upgrade their site will be in serious risks.
WordPress 4.2.1 is a critical security release for a widely publicized vulnerability that you do not want to ignore.
If you haven’t disabled automatic updates, then your site will automatically update.
Once again, we strongly advise that you update your site to WordPress 4.2.1. Make sure to backup your site before you update.