According to the web security website Sucuri, any WordPress plugin or theme that uses the popular genericons package could be at risk of a DOM-based Cross-Site Scripting (XSS) vulnerability.
Both the JetPack plugin (which has more than 1 million active users) and the TwentyFifteen theme (which is WordPress’s current default theme) use genericons. The threat has been identified in the example.html file that comes with the package.
Eliminating the Threat
The quick fix is to remove the example.html file from the genericons package, which you don’t need anyway.
This vulnerability was detected before it ever became active, so it hasn’t done any known damage so far. Due to the website’s wicked fast response time, the threat level to WordPress users isn’t considered serious. But the site warned that it would be easy for the vulnerability to be exploited.
WorPress already has reached out to the most popular web hosting services and notified them of this vulnerability and gave them the patch they needed to eliminate it. So if you use any of these services, you already have the virtual patch you need to protect yourself:
But if your site is hosted by a different company, you may need to manually fix the issue yourself. All you have to do is go to the genericons directory and delete the example.html file and you will be completely protected.
Most Sites Probably Safe
Had this hack not been discovered, it could have had a devastating impact on unsuspecting website owners and businesses alike.
In any case, if you remove the example.html from the genericons directory, you should be okay for now.