This vulnerability exists in the WP_Nav_Menu_Widget class in wp-includes/default-widgets.php in the “form” function. It allows remote attackers to inject arbitrary web script or HTML via a widget title.
Related records:
http://db.threatpress.com/vulnerability/wordpress/wordpress-4-2-3-xss
Update WordPress.