I just update my blog to WordPress 2.8.6, the new version fixes exploited registered (XSS vulnerability) and users logged-in  posting privileges(exploited in certain Apache configurations by uploading files).

So if you have untrusted authors on your blog, 2.8.6 is necessary. Let’s keep our make money online machine safe!