Update: April 27
Wordpress (in my case, BlueHost, at around 3:30 PM today EDT) has updated all users with 4.2.1 with a patch for the problem. Australian guru "Bogtyant" had warned Wordpress users to disable comments until problem was fixed. Updated story on Sucuri here.
Wordpress has a press release on the "cross scripting vulnerability" here.