WordPress 2.8.6 is another important security release that tackles vulnerabilities in the Press This bookmarklet and upload file names.
The first problem is an XSS vulnerability in Press This discovered by Benjamin Flesch. The second problem, discovered by Dawid Golunski, is an issue with sanitizing uploaded file names that can be exploited in certain Apache configurations. Thanks to Benjamin and Dawid for finding and reporting these.
WordPress 2.8.2 is an important security update that addresses an XSS vulnerability with unsanitized comment author URLs. No betas or release candidates came out before this version, but upgrade away! The notice should already be up in your WordPress admin panel.
WordPress 2.6.5 has been released! If you’re wondering where WP 2.6.4 is, it looks like the Automattic team decided to skip that version because of the fake WordPresz release that have been circling the Web. Emphasis below:
Note that we are skipping version 2.6.4 and jumping from 2.6.3 to 2.6.5 to avoid confusion with a fake 2.6.4 release that made the rounds. There is not and never will be a version 2.6.4.
The WP 2.6.5 update contains security fixes to XSS exploits as well as some bug fixes. Peter Westwood also writes about this in detail.
For WordPress MU users, a new release of the same version is also out, addressing more or less the same issues.