UPDATE: WordPress has just released WordPress 4.2.1
They say they just learned about the vulnerability a few hours ago.
Jouko Pynnönen sent an email to the fulldisclosure list about a WordPress XSS 0-Day.
Pynnönen writes :
Current versions of WordPress are vulnerable to a stored XSS. An unauthenticated attacker can inject JavaScript in WordPress comments. The script is triggered when the comment is viewed. If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors. Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.
The workaround is to :
Disable comments [..] Do not approve any comments.
According to the security researcher :
WordPress has refused all communication attempts about security issues from us since November 2014. We have tried to reach them by email, via the national authority (CERT-FI), and via HackerOne. No answer of any kind has been received since November 20. As far as we know, they have also refused to answer the Finnish communications regulatory authority who has tried to coordinate resolving the issues we have reported, and HackerOne staff who have tried to clarify the status.
