A pair of researchers have identified a cross-site scripting vulnerability in WordPress 3.3, however the bug is only reproducible on installations that were installed using an IP address rather than a domain. The vulnerability was identified and published by Aditya Modha and Samir Shah. They said in their analysis of the flaw that the bug can be triggered by posting a specially crafted comment to a WordPress blog that is vulnerable. However, it doesn t appear that the number of vulnerable installations is very high.
Source: https://threatpost.com/xss-bug-found-wordpress-33-010312/76052/