On January 24, 2013, WordPress 3.5.1 was released to the public. This is a maintenance and security update.
From the announcement post, this maintenance release addresses 37 bugs with version 3.5, including:
- Editor: Prevent certain HTML elements from being unexpectedly removed or modified in rare cases.
- Media: Fix a collection of minor workflow and compatibility issues in the new media manager.
- Networks: Suggest proper rewrite rules when creating a new network.
- Prevent scheduled posts from being stripped of certain HTML, such as video embeds, when they are published.
- Suppress some warnings that could occur when a plugin misused the database or user APIs.
Additionally: Version 3.5.1 fixes a few security issues:
- Server-side request forgery (SSRF) and remote port scanning via pingbacks. Fixed by the WordPress security team.
- Cross-site scripting (XSS) via shortcodes and post content. Discovered by Jon Cave of the WordPress security team.
- Cross-site scripting (XSS) in the external library Plupload. Plupload 1.5.5 was released to address this issue.
A full log of the changes made for 3.5.1 can be found at http://core.trac.wordpress.org/log/branches/3.5?rev=23341&stop_rev=23167.