Yesterday, WordPress 2.9.2 was released to correct a bug in which “trashed” blog posts are visible by potentially unauthorized users.
According to Ryan, this can occur when logged-in users attempt to browse the trash area; these users can view posts that belong to others, so sensitive or private information may be inappropriately accessible. Thomas Mackenzie first mentioned this on his blog a few days ago (with a lot of interesting details). An “unofficial” WordPress diff patch was posted for it to address the defect, and WordPress 2.9.2 was released shortly afterward in a couple of days.
This is a good upgrade for WordPress sites which allow for multiple users to log into the system and use different authorization levels to govern various user roles.
N.B.
You may have noticed that we’re starting to use the Tell.im URL shortener in some of our links, including in this post… 
UPDATE: Thomas points out that this post had incorrectly attributed the unofficial diff patch to him. According to him, it originated from the WordPress folks.
{ 5 comments }
Just so that you know, that patch was the unofficial release from WP, I did not make that.
Thanks for your support
Thanks for the clarification!
Will update the post.
Wordpress update are always handy but this update is useful for only those who have their registration open.
I will wait for latest Wordpress 3.0 which have Wordpress MU capability.
It does not appear that the issue is applicable ONLY to sites that allow for open registrations.
It is applicable to any WordPress site that uses the user roles and any additional authorization features (via plugin(s) or customization(s)) to gate access to privileged or sensitive content. This could range from private content, to culturally-sensitive unabridged content, to anything that may be either misconstrued by an unintended audience or a flaky Web service.
… And it’s possible that there may be another WordPress update between 2.9.2 and the upcoming 3.0 release.