If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors.
Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.
This particular vulnerability is similar to one reported by Cedric Van Bockhaven in 2014, which was patched in the most recent WordPress 4.1.2 security release. That particular vulnerability was related to four-byte characters being inserted into comments, causing premature truncation by MySQL.
In this instance, an attacker posts an excessively long comment in order to trigger the MySQL TEXT type size limit, which truncates the comment as it is inserted into the database.
The truncation results in malformed HTML generated on the page. The attacker can supply any attributes in the allowed HTML tags, in the same way as with the two recently published stored XSS vulnerabilities affecting the WordPress core.
A patch from the WordPress security team should be forthcoming. At this time the team could not provide an ETA, but in the meantime there are a few things users can do to mitigate the risk.
WordPress users can also temporarily disable comments in the meantime until the patch has been issued by the WordPress security team.