WordPress 4.2.2 fixes a cross-site scripting vulnerability contained in an HTML file shipped with recent Genericons packages included in the Twenty Fifteen theme as well as a number of popular plugins by removing the file.
The release also includes hardening for a potential cross-site scripting vulnerability when using the Visual editor.
In addition to the security fixes, WordPress 4.2.2 contains fixes for 13 bugs from 4.2.1, including:
Fixes an emoji loading error in IE9 and IE10
Fixes a keyboard shortcut for saving from the Visual editor on Mac
Fixes oEmbed for YouTube URLs to always expect https
Fixes how WordPress checks for encoding when sending strings to MySQL
Fixes a bug with allowing queries to reference tables in the dbname.tablename format
Lowers memory usage for a regex checking for UTF-8 encoding
Fixes an issue with trying change the wrong index in the wp_signups table on utf8mb4 conversion
Improves performance of loop detection in _get_term_children()
Fixes a bug where attachment URLs were incorrectly being forced to use https in some contexts
source: https://codex.wordpress.org/Version_4.2.2
Thank you very much.