The Plone Security Team has issued a pre-announcement about the release of a patch for Plone to address vulnerability issues. The hotfix, as well as the details of the issue, will be available on Tuesday, November 29th, 2016 at 11am US ET. All supported Plone versions (4.x, 5.x) are affected. Previous versions may be affected too, but have not been tested.
We highly recommend all Plone site managers apply the patch to their sites as soon as it gets released. We are happy to help if you need assistance. Please contact us through our non-emergency support page. Requests will be addressed in the order they get received.
For more information, please visit the Plone hotfix pre-announcement page.