Jouko Pynnönen, a security researcher at Klikki Oy, who reported the issue described it as:
If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors.
Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.
This particular vulnerability is similar to the one reported by Cedric Van Bockhaven which was patched in the WordPress 4.1.2 security release.
Unfortunately, they did not use proper security disclosure and instead posted the exploit publicly on their site. This means that those who do not upgrade their site will be in serious risks.
If you haven’t disabled automatic updates, then your site will automatically update.
Once again, we strongly advise that you update your site to WordPress 4.2.1. Make sure to backup your site before you update.
To leave a comment please visit WordPress 4.2.1 – Security Release Fixes Zero Day XSS Vulnerability – Update Now on WPBeginner.