WordPress 2.9.2 Update: Trashed Posts and Lower-Level User Access Fix

WordPress 2.9.2 comes less than two months after WordPress 2.9.1 release. Updating WordPress to 2.9.2 version is not critical, but still recommended. The update available fixes permissions vulnerability. Two WordPress users, tmacuk.co.uk and caesarsgrunt, have reported that authenticated users can see deleted (or trashed) blog posts that were written by another registered users. The authenticated user with permissions to view posts can be anyone from an administrator to a regular subscriber.

WordPress Update: What are registered and lower-level users?
A WordPress blog with one author usually has a single registered administrator. This administrator is the owner of the blog and main author. Subscribers cannot see all the settings, options and blog post features. They are lower-level users who can only read blog posts and receive published post email alerts. Other lower-level users can include Contributors, Editors and Authors. A WordPress blog can also have more than one administrator; these registered users have full-access and can alter templates and any blog settings. No one but a trusted user or co-owner of the blog should be setup as an administrator.

Trashed blog is a new feature, implemented in version 2.9, so that users were able to retrieve posts that they may have deleted by accident. Trashed posts are only viewable by administrators.

WordPress 2.9.1 Update - A more critical WordPress update
Unlike WordPress 2.9.2, the earlier version 2.9.1 had a severe issue with scheduled posts and pingbacks not processing. Many bloggers, including myself, rely on scheduled posts. The feature helps to keep our blogs fresh and updated for our readers, even if we are occupied with other projects and unable to blog. A scheduled post can appear at a certain date or hour, making blog updating possible even if its owner is far away from a computer.

A glitch occurred in WordPress where scheduled posts were not appearing properly. I experienced the problem where posts were not publishing between sponsored blog posts, as required with most paid-blogging platforms. Publishing was a manual job, or at least as soon as the problem became known. In my case, I did not notice it on two blog posts and it had affected paid blogging payouts that were due.

Release of WordPress 2.9.2 - Do you really need to upgrade so soon?
Updating to WordPress 2.9.2 will remove the issue of having sensitive posts read by unprivileged users. This update would also eliminate a chance of someone reading a blog posts that you did not wish to share with the public, or perhaps details of your life that you have decided to no longer share.

It is always a good practice to update to the latest and stable version of WordPress. Web hosts often deal with security issues and vulnerabilities from outdated WordPress scripts. Updating helps to remove critical but even minor script glitches. In the end, it comes to having a peace of mind and a secure blogging script.

How to Upgrade WordPress
Manual WordPress upgrade is preferred, by downloading new files from Wordpress.org/download. Automatic script update is available through the administrator dashboard. Login to your WordPress blog and click on the "Please update now" link, and follow the instructions provided. You can follow step by step WordPress upgrade instructions here.

Sources:

WordPress 2.9.2

WordPress 2.9.1

WordPress >= 2.9 Failure to Restrict URL Access