WordPress Releases 2.3.2

If you haven’t already noticed, at some point yesterday the WordPress team released a crucial security update to the WordPress software.

If you are someone who schedules posts ahead of time, you’ll want to read this post explaining why your future-dated posts may be at risk.  Here is some more information about the release:

• Performance improvements for post sanitization when raw content is required (#5325).
• Changes to is_admin() to ensure that it is only true for admin pages thereby protecting against exposing draft posts. (#5487).
• Suppression of database errors unless WP_DEBUG is true (#5473).
• Check for valid database connection information during install and display and error if the install fails due to database rights (#5495).
• Support for a custom database down page to be displayed on database connection errors (#5500).
• Changes to make sure we are more selective in what we make clickable, this introduces different rules for different uri types ([6450]).
• Changes to wp-mail.php to escape the error messages when displaying them to avoid a possible XSS attack (#5484).
• Changes to ensure that the post password is only exposed by the xmlrpc method metaWeblog.getRecentPosts to users with rights to edit a post (#5535).
• Changes to the information exposed the wp.getAuthors xmlrpc method to reduce the information exposed and add a capabilities check (#5534).
• Addition of extra capabilities checks to xmlrpc methods ([6504]).
• Addition of extra capabilities checks to APP server ([6508]).
• Changes to validate_file() to improve its traversal attempt detection when running on windows ([6521]).