WordPress versions 3.9.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. Version 4.0 is NOT vulnerable to this problem.
From the security advisory:
- Upgrade to the latest version of WordPress (this issue was fixed in version 3.9.3).
- WordPress Plugin WP-Cumulus 'tagcloud.swf' Cross-Site Scripting (1.22)
- WordPress Plugin PressForward Cross-Site Scripting (4.3.0)
- WordPress Plugin OptionTree Cross-Site Scripting (2.5.5)
- WordPress Plugin MailPoet 2 Cross-Site Scripting (2.6.11)
- WordPress Plugin ClickDesk Live Support-Live Chat-Help Desk 'cdwidgetid' Parameter Cross-Site Scripting (2.0)