Shome Mishtake, Shirley?
"...Dede ... found the Twenty Fifteen plugin installed on all WordPress sites is being actively attacked..."
Eh? –TwentyFifteen is one of the default themes that ship with WordPress. Not a plugin. And, if my reading of your reading of the situation is right, the vulnerability is with Genericons [which is an open-source 'icon font' which can be included in any theme, or any website] –not a vulnerability with WordPress, per se.
Anyway, must dash now. I've recently built a WordPress theme which uses the Genericons font. So I better check I didn't leave the 'default.html' file in there!