WordPress 2.6.3 was just released. A vulnerability has been discovered today in the Snoopy library, which is what WordPress uses to retrieve the external content in the Dashboard. WordPress officially states that this is low risk, though they have released an immediate update with no warning. Only wp-includes/class-snoopy.php and wp-includes/version.php have been changed.
According to Secunia, any input passed to the “_httpsrequest()” function isn’t properly sanitised before being used in an “exec()” call. This can be exploited to inject arbitrary shell commands via a script calling the “fetch()” or “submit()” function with an URL controlled by the attacker.