A critical stored cross-site scripting zero-day vulnerability affecting tens of millions of WordPress sites has been patched in version 4.2.1. The vulnerability allowed for malicious JavaScript to be stored in comment fields and executed server-side. The comment has to be at least 66,000 characters long and it will be triggered when the comment is viewed, researcher Jouko Pynnonen said. WordPress said it has begun rolling out the update as an automatic background update on sites that support them.
Source: https://threatpost.com/wordpress-patches-zero-day-vulnerability/112455/