Apparently WordPress issued a fix: [wordpress.org...]

Looks like 4.2.1 fixes it. I also have some installations still on 4.1.x. They were auto-updated to 4.1.4 at the same time as my 4.2.1 patches went through.

WordPress has not mentioned 4.1.4. Can anyone confirm 4.1.4 also fixes this issue?

4.2.1 Fixes the issue, they have an article here: [wordpress.org...] with full information. 4.1.4 was auto installed this afternoon and it does patch the security. That is the 3rd auto-update in a week. I like security, but logging in at each one to update/check installed plugins is a chore - and best done in off hours if possible. Off to evaluate..

The vulnerability is present in WordPress version 4.2 and below. Pynnönen revealed the flaw on his blog on Sunday before the WordPress team could release a patch for the software: the researcher feared WordPress would take too long to fix the hole, and wanted to warn everyone beforehand.

More info here:
[theregister.co.uk...]

A few of my sites that were set to automatically update went from 4.1.2 to 4.2 and then 4.2.1 in the last few days. Never saw 4.1.3 or 4.1.4 at all.

Now to go back and turn on WP auto update on all the older sites.

“Your best option is to install Akismet (which has already been configured to block this attack), or disable comments,” core contributor Gary Pendergast said...

"WordPress users can also temporarily disable comments in the meantime until the patch has been issued by the WordPress security team."

http://wptavern.com/zero-day-xss-vulnerability-in-wordpress-4-2-currently-being-patched [wptavern.com]

I'm lost...

So if I have 4.1.4 installed and am using akismet, am I safe?

I would gladly update to 4.2.1 but none of the plugins I use have been confirmed to work with it (not saying they WON'T work with it, just not sure that they will since their status is "unknown."

Article I noted specifies the LATEST iteration of WordPress... Go there and damn the plugins! :)

On a more serous note, always have te latest version. And always question the plugins (I use few to none, depending on the client).

I would gladly update to 4.2.1 but none of the plugins I use have been confirmed to work with it (not saying they WON'T work with it, just not sure that they will since their status is "unknown."

I would create a test site somewhere that is strictly used for vetting new plugins and themes. Most hosts allow many/unlimited databases. Wordpress 4.10 is 19.8mb on my 'lag' (purposely kept a bit older) testing site. If all is well please take the time to revisit the plugin repository and rate them for those unwilling to test them in their live sites.

My test site 'paid for itself' when I was trying to track down a conflict with all the free facebook comment plugins. The comment module of JetPack aka JP Share was the only one I found that didn't chop the pop-up post box in half. I also used it for customer previews of mini update projects not rolled out to their sites.