We just learned of a reflected XSS vulnerability in WordPress 3.3 via the comments form (wp-comments.php). It is explained in detail here.
The disclosed vulnerability can only be triggered via Internet Explorer according to the disclosing party, our tests lead to the same result.
To further note, this is hard to reproduce because it does not get triggered when WordPress is installed via a domain. If you’re running WordPress 3.3, and WordPress was installed via a domain, you’re not vulnerable. (ethicalhack3r)
We do not consider this to be a serious vulnerability, however, we recommend updating to WordPress 3.3.1 since the vulnerability can be used in targeted attacks. More info on the release can be found in the WordPress Codex, over via the release post.