We are announcing a security release of GD Core (1.4.5) and GD buddypress addon (1.0.2), please update both of these plugins immediately.
Recently a XSS vulnerability was found in the way two core WordPress functions were documented to be used (this has now been rectified) and as a result many popular plugins were found to be vulnerable such as: Jetpack, WordPress SEO, Google Analytics, All In one SEO, Gravity Forms etc… Please see here for a more detailed list: http://wptavern.com/xss-vulnerability-affects-more-than-a-dozen-popular-wordpress-plugins
We have looked over all our plugins and although at first we thought this did not affect us we have now found that if you have the sort by options for categories enabled (not enabled by default) then this can be exploited.
The Exploit
This type of exploit is a XSS type which although is very difficult for an attacker to exploit it can and should be fixed ASAP.
The way this type of exploit is typically used is by crafting a special URL and emailing or some how trying to get the admin of the site to click it while logged in. It can also be used to show non authorised HTML on a page for any user via the same process.
NOTE: The latest Google chrome browser has XSS protection built in.