All past versions of WordPress “are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site,” according to the release post by Gary Pendergast.
WordPress 4.1.2, 4.2 RC3, and new tag releases on past versions dating back to 3.7 have been released and deployed for auto updates. If you don’t get auto updates on your websites, then you should absolutely upgrade.
The WordPress core team has intentionally left it vague as to which bug was the most critical, but the most dangerous time to have out of date software is after a vulnerability has been disclosed, so be sure to update.
80.5% of all WordPress installs run on 3.7+, so unfortunately some old versions remain insecure. However, the auto update ability introduced in 3.7 has undoubtedly made for a safer web, so that on days like today we can get updates out to far more websites.
We are very near release for WordPress 4.2 as well. The original goal date was April 22nd, and while that date is highly unlikely, I understand we won’t miss it by much, so get ready.