Do you make use of the nifty little trash feature recently introduced in WordPress 2.9 that allows you to “delete” or “trash” posts to a recycle bin from which you can then choose to permanently delete or restore at a later date?
Well if the answer is yes then it is probably a good idea to quickly update your installation version to the newly released 2.9.2 version in order to protect yourself against a nasty little bug introduced with this great new bit of functionality!
The problem is that in introducing this new core bit of functionality, developers somehow forgot to properly integrate it within WordPress’ security framework and as such were left with a situation whereby any authenticated user, no matter what rights they have (e.g. they could even be a simple subscriber), can access the trash of any other user – meaning that if you have any sensitive posts that you previously trashed, they would have in fact still pretty much been open for anyone to see.
If you still aren’t on the same page with me as to why you need to upgrade to this patched version ASAP, let me put it to you a little differently. Let us say for example you work for a boss, but being a disgruntled employee, you type up a post on the company blog revealing to the world all the naughty kinkiness you got up to your boss’ daughter. Thankfully though, a moment of sanity prevailed and you trashed the post before publishing it, so it never saw the light of day – whew! However, if the bug was still active and your boss entered the blog to add a new post or such, he would be able to read what you had previously trashed and make no doubt about it – you would now be standing out there in the cold in the unemployment line.
So do yourself a favour. Upgrade to WordPress 2.9.2 today! :)
Related Link: http://wordpress.org/development/2010/02/wordpress-2-9-2/