"WordPress 2.1.2, and probably earlier, allows remote authenticated users with
the contributor role to bypass intended access restrictions and invoke the
publish_posts functionality, which can be used to "publish a previously saved
"SQL injection vulnerability in xmlrpc.php in WordPress 2.1.2, and probably
earlier, allows remote authenticated users to execute arbitrary SQL commands via
a string parameter value in an XML RPC mt.setPostCategories method call, related
to the post_id variable."
All active FE releases have 2.1.3-RC2 which seems affected. 2.1.3 final is said
to fix these issues.
New packages built (2.1.3 final)