There are some new wordpress security bugs: http://wordpress.org/development/2009/11/wordpress-2-8-6-security-release/
I believe we managed to escape the PHP execution one by the hair of a rewrite rule, but I have not confirmed the XSS one. Updates/backporting should probably be requested for this if anybody has a chance.
Updated to 2.8.6 from epel-testing.
Login to comment on this ticket.