The second maintenance release of WordPress 3.5, fixing 12 bugs is now available. This is a security release for all previous versions. Web site owners are encouraged to update their installations immediately.
The security fixes include:
- Blocking server-side request forgery attacks, which could potentially enable an attacker to gain access to a site.
- Disallow contributors from improperly publishing posts or reassigning the post’s authorship.
- An update to the SWFUpload external library to fix cross-site scripting vulnerabilities.
- Prevention of a denial of service attack, affecting sites using password-protected posts.
- An update to an external TinyMCE library to fix a cross-site scripting vulnerability.
- Multiple fixes for cross-site scripting.
- Avoid disclosing a full file path when a upload fails.
More information and download at: http://wordpress.org/news/2013/06/wordpress-3-5-2/