Bad comments could lead to OS level server access
Build 4.0.1 of WordPress has been released to fix a serious cross-site scripting (XSS) flaw that impacts all versions of the CMS (content management system) earlier than 4.0, which account for 85.5% of the WordPress installations.
The vulnerability has passed unobserved for about four years, as it was introduced in version 3.0 of the CMS, released in 2010. Discovered by Jouko Pynnonen from Finnish IT company Klikki Oy, the vulnerability allows execution of arbitrary JavaScript code injected in comment boxes.
The weakness allows creating a new admin account
The commands in the code are run with administrative privileges and are triggered the moment the target tries to view the malcrafted comment.One attack scenario is to hide the malicious JavaScript between different URLs in a comment. The text passes into the moderation queue and commands are executed upon reviewing the comment.
Full Article