WordPress 4.2.2 fixes a cross-site scripting vulnerability contained in an HTML file shipped with recent Genericons packages included in the Twenty Fifteen theme as well as a number of popular plugins by removing the file. Auto-updates and manual updates will remove this file, however manual installations and those using VCS checkout (like SVN) will not remove this file. Version 4.2.2 also improves on a fix for a critical cross-site scripting vulnerability introduced in 4.2.1.

The release also includes hardening for a potential cross-site scripting vulnerability when using the Visual editor.

In addition to the security fixes, WordPress 4.2.2 contains fixes for 13 bugs from 4.2.1, including:

• Fixes an emoji loading error in IE9 and IE10
• Fixes a keyboard shortcut for saving from the Visual editor on Mac
• Fixes oEmbed for YouTube URLs to always expect https
• Fixes how WordPress checks for encoding when sending strings to MySQL
• Fixes a bug with allowing queries to reference tables in the dbname.tablename format
• Lowers memory usage for a regex checking for UTF-8 encoding
• Fixes an issue with trying to change the wrong index in the wp_signups table on utf8mb4 conversion
• Improves performance of loop detection in _get_term_children()
• Fixes a bug where attachment URLs were incorrectly being forced to use https in some contexts

For more information click here