The Genericons icon font package, which is used in a number of
popular themes and plugins, contained an HTML file vulnerable to
a cross-site scripting attack. All affected themes and plugins
hosted on WordPress.org (including the Twenty Fifteen default
theme) have been updated today by the WordPress security team
to address this issue by removing this nonessential file. To
help protect other Genericons usage, WordPress 4.2.2
proactively scans the wp-content directory for this HTML
file and removes it. Reported by Robert Abela of Netsparker.
WordPress versions 4.2 and earlier are affected by a critical
cross-site scripting vulnerability, which could enable anonymous
users to compromise a site. WordPress 4.2.2 includes a
comprehensive fix for this issue.
The release also includes hardening for a potential cross-site
scripting vulnerability when using the visual editor. This issue
was reported by Mahadev Subedi.