WordPress versions 3.9.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. Version 4.0 is NOT vulnerable to this problem.
From the security advisory:
- Upgrade to the latest version of WordPress (this issue was fixed in version 3.9.3).
- WordPress Plugin Persian Woocommerce SMS Cross-Site Scripting (3.3.2)
- WordPress Plugin PromoBar by BestWebSoft Cross-Site Scripting (1.1.0)
- WordPress Plugin Yoast SEO Cross-Site Scripting (5.7.1)
- WordPress Plugin Smart Flv 'jwplayer.swf' Multiple Cross-Site Scripting Vulnerabilities (1.0)
- WordPress Plugin Post to CSV by BestWebSoft Cross-Site Scripting (1.3.0)