**Update 20150427**: A patch has been released and made available by the WordPress Core Team in version 4.2.1 – Please update immediately. Yes, you’ve read it

Fonte: Critical Persistent XSS 0day in WordPress | Sucuri Blog