On June 21, 2013 WordPress 3.5.2 was released to the public with maintenance and security updates.

Security fixes:

  1. Server-Side Request Forgery (SSRF) via the HTTP API. CVE-2013-2199.
  2. Privilege Escalation: Contributors can publish posts, and users can reassign authorship. CVE-2013-2200.
  3. Cross-Site Scripting (XSS) in SWFUpload. CVE-2013-2205.
  4. Denial of Service (DoS) via Post Password Cookies. CVE-2013-2173.
  5. Content Spoofing via Flash Applet in TinyMCE Media Plugin. CVE-2013-2204.
  6. Cross-Site Scripting (XSS) when Uploading Media. CVE-2013-2201.
  7. Full Path Disclosure (FPD) during File Upload. CVE-2013-2203.

And additional security hardening includes:

  1. Cross-Site Scripting (XSS) (Low Severity) when Editing Media. CVE-2013-2201.
  2. Cross-Site Scripting (XSS) (Low Severity) when Installing/Updating Plugins/Themes. CVE-2013-2201.
  3. XML External Entity Injection (XXE) via oEmbed. CVE-2013-2202.

For more info take a look here: http://codex.wordpress.org/Version_3.5.2