WordPress 2.6.2 was released due to a weakness that has been discovered in something known as mt_rand(). WordPress 2.6.2 is a critical release for those of you who allow open registration on your blog. Here is the reason why:
With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password. The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit. However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password.
Along with this critical fix, 2.6.2 is an interim release and therefor contains a few other bug fixes as well such as images that were always inserted into a post at full size, RSS widget linking if there isn’t a link, and the inability to control where a user redirects to when they log in. You can view the rest of the bug fixes here (Fixed Bugs In 2.6.2).
I have already upgraded my blog without a problem!