A WordPress plugin developer recently discovered that WordPress code used by many plugin developers allows cross-site scripting (XSS). A cross-site scripting vulnerability allows hackers to insert malicious code (scripts) into the at-risk plugins running on your website. Just like with the FBI warning about the ISIL threat issued last week, the solution to dealing with this type of threat is to keep the plugins on your website updated. Don’t forget to make a full backup before you begin your updates!
It may take a few days to a week for all the plugins affected by this vulnerability to issue software updates so please check on your site daily for about a week to ensure that all affected plugins have been secured.
The full technical details of this issue are described security alert for WordPress.