A critical security update has been released for WordPress. Version 4.2.3 addresses a cross-site scripting vulnerability affecting previous versions of WordPress, including 4.2.2, which potentially let non-admin users (those with Contributor or Author roles) compromise a site.

The update also fixes a bug that let users with the basic subscriber role post saved drafts without admin or editor privileges, as well as bugs related to tinyMCE’s (the WordPress WYSIWYG editor) handling of HTML shortcode wrappers.

All in all, the update fixes 20 known bugs present in WordPress 4.2. Users and site administrators are strongly encouraged to update WordPress as soon as possible.