The WordPress developers have just released another security and bug fix release.
Most of the updates in this new release fix some minor bugs but there’s also one fairly high-risk security bug that’ve plugged today:
Users without unfiltered_html capability can post arbitrary html
The user only needs to tamper data sent to post.php or page.php and add a field named no_filter with any value.
So it’s best to update your blog asap. You can download it over here.