WordPress 3.0.2 has been out for a few days, if you haven’t upgraded yet, you better do it soon.
There’s a SQL injection vulnerability in the
do_trackbacks() function of all versions of WordPress prior to version 3.0.2 that allows remote attackers to execute arbitrary SELECT SQL queries.
wp-includes/comment.phpdoes not properly escape the input that comes from the user, allowing a remote user with
edit_published_postscapabilities to execute an arbitrary
SELECTSQL query, which can lead to disclosure of any information stored in the WordPress database.