WordPress 2.3.2 has been released and this release includes a number of changes including one security fix.
- Performance improvements for post sanitization when raw content is required.
- Changes to is_admin() to ensure that it is only true for admin pages thereby protecting against exposing draft posts.
- Suppression of database errors unless WP_DEBUG is true.
- Check for valid database connection information during install and display and error if the install fails due to database rights.
- Support for a custom database down page to be displayed on database connection errors.
- Changes to make sure we are more selective in what we make clickable, this introduces different rules for different uri types.
- Changes to wp-mail.php to escape the error messages when displaying them to avoid a possible XSS attack.
- Changes to ensure that the post password is only exposed by the xmlrpc method metaWeblog.getRecentPosts to users with rights to edit a post.
- Changes to the information exposed the wp.getAuthors xmlrpc method to reduce the information exposed and add a capabilites check.
- Addition of extra capabilites checks to xmlrpc methods.
- Addition of extra capabilites checks to APP server.
- Changes to validate_file() to improve its traversal attempt detection when running on windows.