Finnish researcher has disclosed details on a zero-day vulnerability he discovered in WordPress 4.2 and earlier core engine. Juoko Pynnonen of Klikki Oy reported a new and unpatched stored cross-site scripting vulnerability in the platform. A similar bug was patched this week by WordPress developers, but only 14 months after it was reported. The vulnerability allows an attacker to inject JavaScript in the WordPress comment field. The comment has to be at least 66,000 characters long and it will be triggered when the comment is viewed.
Source: https://threatpost.com/details-on-wordpress-zero-day-disclosed/112435/