WordPress upgraded to version 4.3.1 today to fix three vulnerabilities in the core engine. Two of the vulnerabilities were discovered by researchers at Check Point Software Technologies. The most serious of the patched vulnerabilities involve a WordPress-specific feature called shortcodes. Shortcodes are HTML tags that were introduced in version 2.5 as a simple way to embed macros in code, saving developers the hassle of re-writing HTML. An attacker could abuse how the platform processes shortcodes and inject arbitrary JavaScript that would execute when a WordPress page renders.
Source: https://threatpost.com/wordpress-patches-serious-shortcodes-core-engine-vulnerability/114673/