Akismet has a critical XSS bug that dates back quite some time.
A researcher from Sucuri notified us of an XSS vulnerability in the Akismet WordPress plugin. This bug affects all versions of the Akismet WordPress plugin since 2.5.0, but we have no evidence that it has been exploited in the wild.
We’ve released updates for all vulnerable versions of the Akismet plugin. Additionally, the WordPress.org plugins team has enabled an automatic update for all sites running these vulnerable versions that are able to auto-update plugins.
Because the vulnerability is theoretically exploitable via comments, Akismet is already blocking attempts during the comment-check API call even if you are not running the most recent version. However, to be as safe as possible, you should still upgrade immediately.
Akismet is pretty much the most activated WordPress plugin there is, and an actively exploited bug would be a big deal for the plugin, making the auto-update procedure a no brainer in this case.