Explanation of the Vulnerability
The actual vulnerability is present in a font package called "Genericons" and not the core WordPress installation. Unfortunately, this font package is used by "TwentyFifteen", the theme installed and enabled in WordPress by default. The vulnerability also affected a popular WordPress customization and enhancement plugin called "JetPack", which has over one million active installations, and possibly plugins and themes as well.
The vulnerability exists in a single file called example.html which is included in the Genericon package. This is a non-essential file which was included to showcase the font. However, it includes a jQuery snippet that introduces a vulnerability potentially allowing DOM-based cross-site scripting exploits. Any themes or plugins that used the more modern versions of the "Genericons" package without removing this file were vulnerable.
A DOM-based cross-site scripting attack works by altering the DOM environment as interpreted by a user's browser, causing the scripted actions to execute in a way contrary to their original design. In order to exploit the vulnerability, a user must be enticed to click a specially crafted link while logged into a WordPress installation. If an application has this type of vulnerability, the server cannot easily prevent unwanted behavior because the actions occur within the browser itself. Fortunately, removing the vulnerability is trivial in this case.