WordPress has just released a critical update to fix a serious XSS vulnerability that allows attackers to easily hijack websites based on the popular CMS. An unauthenticated attacker can inject JavaScript in WordPress comments. The script is triggered when the comment is viewed by a logged-in administrator. WordPress hasnt recognized the security flaw since it was first submitted in November of 2014 via the CERT-FI and HackerOne. WordPress has already released the version 4.2.1, the critical update that fixes the flaw.”]
Source: http://securityaffairs.co/wordpress/36360/hacking/wordpress-4-2-1-fixed-zero-day.html