WordPress 3.3.2 is out.

WordPress has
announced a new
security update for all
previous versions of its
free and open source
blogging tool. The
organization wouldn't
reveal how many
vulnerabilities it fixed,
but it did note that they
were in double digits,
and it did elaborate on
some of the changes in
Wordpress 3.3.2. You can
download the new
version from
wordpress.org/download
or from your Dashboard
(Updates menu in your
site's admin area).
Three external libraries
included in WordPress
received security updates:
Plupload (version 1.5.4),
which WordPress uses
for uploading media.
This one was disclosed
by Neal Poole and
Nathan Partlan.
SWFUpload, which
WordPress previously
used for uploading
media, and may still be
in use by plugins. This
one was also disclosed
by Neal Poole and
Nathan Partlan.
SWFObject, which
WordPress previously
used to embed Flash
content, and may still
be in use by plugins
and themes. This one
was disclosed by
Szymon Gruszecki.
WordPress 3.3.2 also
addresses:
Limited privilege
escalation where a site
administrator could
deactivate network-
wide plugins when
running a WordPress
network under
particular
circumstances. This one
was disclosed by Jon
Cave of the WordPress
core security team, and
Adam Backstrom.
Cross-site scripting
vulnerability when
making URLs clickable.
This one was also
disclosed by Jon Cave.
Cross-site scripting
vulnerabilities in
redirects after posting
comments in older
browsers, and when
filtering URLs. This one
was disclosed by Mauro
Gentile.
For all the details, check
out the full WordPress
change log. If you have
discovered a security
vulnerability in
WordPress, you can
responsibility disclose it
via Automattic's Security
webpage.
WordPress is a popular
attack vector for cyber
criminals, as you can see
in the links below.
Update now, if you
haven't already.