WordPress 2.9.2 was released just a few minutes ago to address a security problem dealing with the Trash feature.
When WordPress implemented the new feature they failed to change the permissions granted when the post is in the trash. This means that an unauthenticated user cannot see the post, however an authenticated user can no matter what privileges they have, even ’subscriber’.
There are probably a few other bug fixes in this version but they were not part of the release announcement. If your site only has one author and no registered users, this upgrade is not critical.
[...] A new Wordpress security vulnerability has been discovered, in 2.9 and 2.9.1. It has to do with the newly (and badly) implemented “trash can” feature. (Instead of just deleting posts when told to, Wordpress now routes them through a convoluted trash system.) You can read about the new 2.9.2 version over at the Wordpress Tavern blog. [...]
I think it’s worth to note that the error was known since some more weeks now. Originally it was reported by caesarsgrunt in #11236. I’ve the full story in my blog post “The short memory of WordPress.org security”. Just for the info.
Thanks for the Update…Just updated my blog with latest 2.9.2 after taking a clean backup :)
Thanks for your post. I have tested 2.9.2 with the automatic upgrade and a manual upgrade on a couple of websites and both seem to work okay, so far. Keeping my fingers crossed.