Klikki Oy security bod Pynnonen commented: “An attacker could exploit the vulnerability by entering carefully crafted comments, containing program code, on WordPress blog posts and pages. Under default settings comments can be entered by anyone without authentication” and “probably the most serious WordPress core vulnerability that has been reported since 2009″.
The flaw has existed for about four years affecting versions between 3.0 to 3.9.2 but not in newest version 4.0. Official patches were released on November 20. They have now been deployed automatically to most WordPress sites. Reportedly the Akismet comment plugin now also filters any malicious comments containing the exploit.
So the users of 4.0 WordPress are safe from this, but they should note that version 4.0.1 patched a separate and also critical set of XSS flaws discovered by the internal security team, along with a cross-site request forgery hole.