A new comment XSS exploit vulnerability, being called “Zero Day”, has been found in the latest versions of WordPress: 4.2, 4.1.2, 4.1.1, and 3.9.3.
In addition, through this exploit an attacker could also change the administrator’s password, create new administrator accounts, or do anything else that a logged-in admin would be able to do.
An attacker triggers this exploit by an posting excessively long comment exceeding the MySQL TEXT type size limit, which causes the comment to be truncated. As a result, the truncated comment results in malformed HTML being generated on the web page.
“The attacker can supply any attributes in the allowed HTML tags, in the same way as with the two recently published stored XSS vulnerabilities affecting the WordPress core.
The WordPress security team has released a patch that is now available to download, or to update through your WordPress dashboard. This is considered a critical security release for all previous versions, and an immediate update is strongly encouraged.