The following was defined by Jouko Pynnönen, a Klikki Oy safety investigator.
Once triggered by a logged-in administrator, the attacker can exploit the vulnerability by using both plugin and topic publishers to perform arbitrary code on the server.
The attacker may also change the password of the manager, build new manager accounts, or do what the logged-in administrator can do with the target system.
The vulnerability of the WordPress 4.1.2 release is similar to the one reported by Cedric Van Brookhaven.
Update: We learned that they tried to contact the WordPress security team but couldn’t get a prompt answer.
You will automatically update your site if you do not have automatic updates disabled.
We highly recommend you to update the WordPress 4.2.1 website again. Before you update, please ensure that your site is backed up.