WordPress has released a security update today that everyone should install immediately.
Given the severity, US Homeland Security has released a post (https://www.us-cert.gov/ncas/current-activity/2017/03/06/WordPress-Releases-Security-Update) today about it.
If you have auto-updates set on your WP install you may have already received the upgrade automatically. Most of the sites I personally manage were updated already earlier today. If not, I'd suggest you do that asap.
You can read more on WordFence's post/alert here:
An email alert has been sent to all of our customers approximately 10 minutes ago with a link to this thread.
I've added this as a Client Area Announcement and tweeted it as well.