The fine folks at WordPress issued a critical security release today:
WordPress 4.2.1 Security Release (wordpress.org)
WordPress 4.2.1 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.
A few hours ago, the WordPress team was made aware of a cross-site scripting vulnerability, which could enable commenters to compromise a site.
Yes, that's like 4 in one week but it's good to get them all done.We said last week that we'd wait a few days to see if 4.2.1 came out and it has.
Our Website Maintenance Department will be in contact with you regarding these upgrades. Clients that have signed up for our Automatic WordPress Update Program will get their website updated promptly.
Remember that you don't want to just update your WordPress core software but make sure all plugins and themes are up to date as well. Your plugins need to be updated weekly in order to keep your website in its best health.
Also, this update is kind of strange. With websites that get their own automatic updates from WordPress, you get emails that say this:
"Howdy! Your site at [YOUR DOMAIN] has been updated automatically to WordPress 4.2.1."
but we're not seeing the update applied - you still have to do it manually. Strange. We think this is if the major update (4.2) wasn't done. Still, WordPress shouldn't send out messages saying it has been updated if it really hasn't been. That's why it's always best to check manually.
<rant>These WordPress automatic upgrades aren't the best thing that has ever happened. Yes, it helps more websites be up to date but if people are just reading the emails and not logging in and doing things like updating plugins and themes, then their websites are still vulnerable.</rant>
-Tony
