Yesterday on Twitter, Dr.-Ing. Mario Heiderich of security firm Cure53 announced an unauthenticated cross-site scripting flaw in WordPress version 4.5, the current version as of the announcement, and below.
The best protection against this and like vulnerabilities is to maintain regular and reliable backups, and keep the WordPress core and all plugins and themes up to date. We expect WordPress to release an update to WP 4.5 (nicknamed “Coleman Hawkins”) shortly before the announcement.
If WordPress site owners cannot update to WordPress version 4.5.1 quickly, we highly recommend they implement a web application firewall which will block such attacks even if the vulnerability exists on the underlying WordPress site. In addition, we recommend a malware scanner for WordPress and other site owners to detect, and in SiteLock’s case, automatically clean malware if an unknown vulnerability is exploited and infects a site.