There is a critical security issue has been detected recently with WordPress and WordPress team have released a new version.
WordPress 4.1.2 is now available, so please update all your blogs immediately. All previous versions including 4.1.1 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site.
This was reported by Cedric Van Bockhaven and fixed by Gary Pendergast, Mike Adams, and Andrew Nacin of the WordPress security team.
We appreciated the responsible disclosure of these issues directly to WordPress security team. For more information, see the release notes or consult the list of changes.
Download WordPress 4.1.2 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.1.2.
Also Multiple WordPress Plugins are also vulnerable to Cross-site Scripting (XSS) due to the misuse of the add_query_arg() and remove_query_arg() functions. These are popular functions used by developers to modify and add query strings to URLs within WordPress.
To date, this is the list of affected plugins:
There are probably a few more that have not yet discovered. So If you are using WordPress, we strongly recommend that you update all your out of date plugins now.
Special Thanks to Sucuri research team, & Joost from Yoast who have been gone through the WordPress repository for attempt to find and warn as many plugin developers as possible – to warn and help them patch the issue.
Note: If you have automatic updates enabled, your site should already be patched, especially in the most severe cases.
Update Your Plugins now
We strongly recommend you to update all your outdated plugins installed on your WordPress. We have listed some points to help you keep your WordPress more secure:
Tips for your WordPress security:
If you ever discover security vulnerabilities on your own, do the community a favour by sending a detailed e-mail to security@wordpress.org. If the vulnerability is in a plug-in instead, e-mail plugins@wordpress.org.
Security Resources:
Sucuri: https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html
Hardening WordPress, wordpress.org: http://codex.wordpress.org/Hardening_WordPress
Exploit Scanner, wordpress.org: http://wordpress.org/extend/plugins/exploit-scanner/