Jouko Pynnönen, a security researcher at Klikki Oy, who reported the issue described it as:
If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors.
Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.
This particular vulnerability is similar to the one reported by Cedric Van Bockhaven which was patched in the WordPress 4.1.2 security release.
Unfortunately, they did not use proper security disclosure and instead posted the exploit publicly on their site. This means that those who do not upgrade their site will be in serious risks.
Update: We have learned, that they tried contacting WordPress security team but failed to get a timely response.
If you haven’t disabled automatic updates, then your site will automatically update.
Once again, we strongly advise that you update your site to WordPress 4.2.1. Make sure to backup your site before you update.