To all WordPress users! A critical 0-day vulnerability has been disclosed in WordPress’s native comment system. It allows an attacker to insert malicious scripts on your site through the comments and infect your visitors with malware. You could yourself trigger such a script if you approve infected comments from the admin dashboard.
No patch has been released yet, so if you have allowed users to post comments via WordPress’s comment system, you’re at risk and should disable comments on your site ASAP until a remedy is found or, alternatively, enable a web application firewall to protect your site and your customers. If you use comment plugins like Disqus, chances are that you are still at risk, since the comments are synced back to your own WordPress database.