A XSS vulnerability affects Jetpack and Twentyfifteen, both installed by default in millions of WordPress installs, caused by a flaw in the genericons package.

Source : WordPress JetPack and TwentyFifteen DOM-based XSS Vulnerability | Sucuri Blog