An emergency security release of wordpress was just put out. It fixes a cross site scripting (XSS) vulnerability and an open redirection vulnerability.
From wordpress team:
The details of the two fixes according to the WordPress blog are:
- A cross site scripting vulnerability for “certain local URI’s” was resolved. This kind of vulnerability allows an attacker to embed malicious code into site content which is then loaded by site members or administrators and which executes with their privileges. [More on XSS vulnerabilities here]
- An open redirection attack was resolved. This lets an attacker send a user to a WordPress site using a URL that contains a parameter that redirects them to another site. It’s a useful way of performing phishing attacks whereby an attacker sends a victim to a malicious site by disguising the link as a non-malicious site or a known site.
- The release also fixes 17 non-vulnerability related bugs.
Find the full details here