If you don’t have automatic updates turned on for your WordPress blog, you need to check and install this critical security update right away . . .
WordPress versions 4.2.2 and earlier are affected by a cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site. This was reported by Jon Cave and fixed by Robert Chapin, both of the WordPress security team.
We also fixed an issue where it was possible for a user with Subscriber permissions to create a draft through Quick Draft.