WordPress 4.2.3 has just been released and fixes a critical XSS vulnerability that requires immediate patching.
The fix for this vulnerability is well hidden in commit 33360 , where major portions of the shortcode functionality has been rewritten.
More specifically, the fix is in the files wp-includes/kses.php and wp-includes/shortcodes.php .
Feel free to browse through the patch and don’t forget to update your WordPress installations in the meantime.
If you’ve enabled the auto-update feature of WordPress, you’ll find WordPress did you a favour and auto-patched it already .