WordPress 4.2.2 was released this evening in order to protect against a critical security bug in Genericons. From the release post:
The Genericons icon font package, which is used in a number of popular themes and plugins, contained an HTML file vulnerable to a cross-site scripting attack. All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated today by the WordPress security team to address this issue by removing this nonessential file. To help protect other Genericons usage, WordPress 4.2.2 proactively scans the wp-content directory for this HTML file and removes it.
The update goes and removes the example.html file from Twenty Fifteen and elsewhere in wp-content (including other themes and plugins). The file is not needed but did include code that was susceptible to attack.
The vulnerability was known for over a week, and disclosure was supposed to be a coordinated effort, but I understand that the core team was caught off guard by Sucuri’s disclosure this morning.
Many hosts were prepared for the disclosure and already created a layer of protection for their customers, however I noticed no EIG hosts were on the list (Bluehost, Hostgator, etc) so a lot of sites are definitely vulnerable without the update.
It’s easy to have update fatigue (you can believe the core team does too), but these updates are important and it’s why part of owning a WordPress website is to be on top of them; the software is too popular to ignore updates.
4.2.2 also includes a “comprehensive fix” for the issue comment length issue that caused a quick release of 4.1.1.
In addition to 4.2 being updated, every major version back to 3.7 was updated to new point releases (likely do to comment fixes, not for Genericons).