The PHP Security Blog has a comment posted today concerning what they call an "irresponsible silent tarball update" for WordPress.

It turns out, that the WordPress developers are not only slow in dealing with security holes, but totally irresponsible. It has come to my attention, that after I had disclosed to them, the obvious flaws in their security fix, they have silently replaced the release tarball of WordPress 1.5.2 with a fixed version at an unknown point in time during the last 2 days.

This means everyone who upgraded within the first day is most probably still vulnerable to the exploit. It is hard to guess how many people are affected, because the change of the tarball was performed without any notification of me or their users.

To ensure that you have the most up-to-date version, you can either check out the issue here or you can simply grab the latest tarball from their site. When security of a user's site is at stake, there needs to be more communication onvolved than just a file update - even if it's just a change to the changelog...