WordPress 4.2.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
WordPress versions 4.2.2 and earlier are affected by a cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site. This was initially reported by Jon Cave and fixed by Robert Chapin , both of the WordPress security team, and later reported by Jouko Pynnönen .
We also fixed an issue where it was possible for a user with Subscriber permissions to create a draft through Quick Draft. Reported by Netanel Rubin from Check Point Software Technologies .
Our thanks to those who have practiced responsible disclosure of security issues.
Download WordPress 4.2.3 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.2.3.
Thanks to everyone who contributed to 4.2.3:
Aaron Jorbin , Andrew Nacin , Andrew Ozz , Boone Gorges , Chris Christoff , Dion Hulse , Dominik Schilling , Ella Iseulde Van Dorpe , Gabriel Pérez , Gary Pendergast , Mike Adams , Robert Chapin , Nikolay Bachiyski , Ross Wintle , and Scott Taylor .