WordPress users will notice a new automatic update available for 2.9.2, this security update fixes a vulnerability affecting all WordPress installations since the recent introduction of the Trash feature in the 2.9.* series.
Every logged in user, even those with the subscriber role, can access all deleted articles and posts that have been moved to the trash. This might not affect the majority of blogs as there need to be at least two registered users and at least one user that is not trusted by the administrator of the site.
Excerpt from WordPress 2.9.2 Released at ghacks.net.