wordpress

• CVE-2007-1622
  Cross-site scripting (XSS) vulnerability in wp-admin/vars.php in
  WordPress before 2.0.10 RC2, and before 2.1.3 RC2 in the 2.1 series,
  allows remote authenticated users with theme privileges to inject
  arbitrary web script or HTML via the PATH_INFO in the administration
  interface, related to loose regular expression processing of PHP_SELF.
• CVE-2007-1893
  WordPress 2.1.2, and probably earlier, allows remote authenticated
  users with the contributor role to bypass intended access restrictions
  and invoke the publish_posts functionality, which can be used to
  publish a previously saved post.
• CVE-2007-1894
  Cross-site scripting (XSS) vulnerability in
  wp-includes/general-template.php in WordPress before 20070309 allows
  remote attackers to inject arbitrary web script or HTML via the year
  parameter in the wp_title function.
• CVE-2007-1897
  SQL injection vulnerability in xmlrpc.php in WordPress 2.1.2, and
  probably earlier, allows remote authenticated users to execute
  arbitrary SQL commands via a string parameter value in an XML RPC
  mt.setPostCategories method call, related to the post_id variable.

For the stable distribution (etch) these issues have been fixed in
version 2.0.10-1.

For the testing and unstable distributions (lenny and sid,
respectively), these issues have been fixed in version 2.1.3-1.

We recommend that you upgrade your wordpress package.