WordPress had just released a bug fixed for WordPress 2.2.2 that supposed to have a loophole in the code. here is the changelog and fixed for the previous version:
- On Windows machines register_activation_hook() does not work if the plugin is in a subfolder of the plugins dir
- Proposal for a new plugin architecture
- MAGPIE_USER_AGENT lack of wp version
- Don’t return GMT date/time in XML-RPC, breaks some clients.
- Invalid RSS2 Comments Feed
- Users without unfiltered_html capability can post arbitrary HTML
- WordPress Admin RTL files Bug Fix
- Fix mt_allow_pings in metaWeblog.newPost (XML-RPC)
- Corrected indentation in wp-mail.php
You can download and see more changes detail at WordPress Downloads