The blogpost linked (<a href="http://klikki.fi/adv/wordpress2.html" rel="nofollow">http://klikki.fi/adv/wordpress2.html</a>) in the article is rather worrying to read - especially the "Solution" section which suggests Klikki Oy had a lot of trouble communicating with WordPress and getting the bug fixed.<p>Interestingly, the WordPress blog states "A few hours ago, the WordPress team was made aware of a cross-site scripting vulnerability, which could enable commenters to compromise a site. The vulnerability was discovered by Jouko Pynnönen."<p>I'm not very familiar with WordPress or its plugins, but does it make use of Content-Security-Policy headers? Those might've helped to minimise the risk (at least for users with modern browsers) to users browsing WordPress sites.