Essentially it’s a XSS threat, where a hacker can get behind the websites firewall and use its own code against itself. Less than 2 weeks ago WordPress addressed an issue with the comments section of their code where a comment can install a virus behind the firewall. Although most of our sites don’t use comments, the main thing to see here is simply submitting text was enough to install a virus which you potentially could do with any form. Now it seems that there are other places where a hacker can install a virus, including the sites own template.
It could be upgraded yourself, but if something is not compatible then it could break. At least if we do it, we got backups and we could recover the site quickly.
This is more to do with clients that have TwentyFifteen template, the TwentyFifteen website template is installed by default with WordPress. Even those that don’t use it, but have it installed.
This article explains the second threat and how to fix it:
Basically there is a folder called genericons and it has code in it that is compromised.
The client cannot do anything with this. We must do it as we have access to cPanel. We need to remove the unnecessary files. We need to scan all WordPress sites. If they are not using TwentyFifteen, then we need to remove the code.