WordPress versions 4.1.1 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site.
cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/
wordpress.org/news/2015/04/wordpress-4-1-2/