A XSS vulnerability has been found in Genericons. To explain further, Genericons includes a file called example.html which has been found to be vulnerable to attack from the Document Object Model level. Any WordPress plugin or theme that includes this file is open to an attack. To help combat this, we have done the following for VaultPress users:
1) We’ve deleted the file everywhere we can to proactively secure your site.
2) We’ve added it to our security scanner so that if there are any cases where we couldn’t detect the file or couldn’t delete it, you will still be notified if the file exists on your site.
3) For users with sites where we couldn’t remove the file, we have personally emailed each of you with steps to remove the file and details about where the file is located.
Also, another important security update was released today for WordPress in Version 4.2.2. Version 4.2.2 fixes several vulnerabilities that could allow users to compromise your site including the Genericons vulnerability.
We encourage everyone to head over to Dashboard → Updates in their WordPress dashboard, and click “Update Now”. Otherwise, you can download WordPress 4.2.2 directly. Once you’re running WordPress 4.2.2, you’re protected from these vulnerabilities.
As always, drop us a line if you have any questions!