The wordpress development team reports:
- Blocking server-side request forgery attacks, which could
potentially enable an attacker to gain access to a site
- Disallow contributors from improperly publishing posts
- An update to the SWFUpload external library to fix cross-site
scripting vulnerabilities
- Prevention of a denial of service attack, affecting sites
using password-protected posts
- An update to an external TinyMCE library to fix a cross-site
scripting vulnerability
- Multiple fixes for cross-site scripting
- Avoid disclosing a full file path when a upload fails