WordPress versions 3.9.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. For the details please check original post on Wordpress blog.
Update Wordpress installation to version 4.0.1:
If Wordpress is installed as an Plesk application, go to Subscriptions > domain_name > Applications > Manage My Applications and click on "Update avaliable" button, see screenshot:
Note: New version availability is being checked by daily Maintenance Script in Plesk. If you still does not see "Update avaliable" button please wait for Daily Maintenance script or run the following two commands:
#/usr/local/psa/bin/sw-engine-pleskrun /usr/local/psa/admin/plib/DailyMaintainance/script.php -f UpdateApsCache
#/usr/local/psa/bin/sw-engine-pleskrun /usr/local/psa/admin/plib/DailyMaintainance/script.php -f UpdateApsApplications
If Wordpress is installed not through Plesk application vault, but manually, follow Wordpress upgrade guide .