https://nakedsecurity.sophos.com/2015/07/23/wordpress-4-2-3-is-out-update-your-website-now/ [nakedsecurity.sophos.com]

WordPress 4.2.3 is out, update your website now

The latest version, version 4.2.3 [wordpress.org], was released on 23 July 2015 and includes a fix for a cross-site scripting (XSS) vulnerability that your website could do without.

The flaw allows WordPress users who have Contributor or Author roles to add javascript to a site (something normally reserved for Editors and Administrators) using specially crafted shortcodes [codex.wordpress.org].

Attackers who can add javascript to a site can use it to do all manner of damage such as infecting users with malware or stealing their cookies.