A new critical “0 day” XSS (Cross Site Scripting) vulnerability was discovered by Jouko Pynnonen that would allow an attackeradf to insert
malicious scripts into your websites via the WordPress commenting system. The potential security risk in this flaw is huge – hackers could infect
your website visitors with malware, inject mass-mailers/spam and possibly insert a backdoor if the malicious script runs when the WordPress administrator logs in.
The following WordPress versions are confirmed vulnerable:
- 4.2,
- 4.1.2, 4.1.1
- 3.9.3.
Please update your WordPress version as soon as possible.
Another way to protect yourself is to temporarily disable the “Comments” (“discussion) in the WordPress backend until this vulnerability has been fully addressed.
Below is the video by Klikki Oy