Sucuri blog has the detailed information: https://blog.sucuri.net/2015/05/jetpack-and-twentyfifteen-vulnerable-to-dom-based-xss.html
In short, the plugins Jetpack and TwentyFifteen had a bad file which could be attacked by a XSS(Cross Site Scripting) method.
As Sucuri blog mentions the attack is actually DOM(Domain Object Model)-based XSS, which even a WAF(Web Application Firewall) cannot see this.
Of course it has to be clicked in a phishing email for it to be activated, as a browser has to initiate it, and most people will not want to go to the “example.html” faulty file.
Unfortunately WordPress developers allowed the file to be included in the production software release, it is an unfortunate inclusion and indicative that wordpress developers can make mistakes.
The jetPack plugin has over 1 million installs, and the TwentyFifteen theme is in all installations (although may not be active).
My recommendation is to update Jetpack immediately and remove any themes you are not using, just in case.
This is the up-to-date version: v3.5.3
What has to be done with a WordPress website? (like this one?)
Unfortunately you have to login every day and minimally check for updates, yesterday we updated this site and are safe from this vulnerability.
We have removed all themes not used as a precaution in all WordPress sites that we manage.
Contact Us if you need help