The update also incorporates fixes for 20 bugs from version 4.2 of the platform. The company is strongly encouraging webmasters to update their sites to the most recent build (4.2.3) immediately. The XSS vulnerability could be exploited by any users marked contributor or author according to an engineer at Automattic, WordPress parent company. The bug could ve allowed Subscribers to create blog posts via the CMS Quick Draft mechanism. The latest version of Count Per Day, a WordPress counter plugin, was removed from the plugin directory earlier this week.
Source: https://threatpost.com/wordpress-patches-critical-xss-vulnerability-in-all-builds/113916/