The vulnerability exploits a new feature that has been introduced in WordPress 2.9: the trash. The trash is a basic trashcan where deleted posts are placed so that they can be restored if they have been deleted by accident. This trash can be disabled but is activated by default on all WordPress 2.9 and later blogs.

Every logged in user, even those with the subscriber role, can access all deleted articles and posts that have been moved to the trash. This might not affect the majority of blogs as there need to be at least two registered users and at least one user that is not trusted by the administrator of the site.

In theory though anyone with a user account at the website can access the trashed articles regardless of which user wrote them.

The WordPress 2.9.2 patch fixes this exploit so that this is no longer possible. WordPress 2.9.2. can be downloaded from the official WordPress website. Users who have configured their blog for automatic updates can also update the blog from within the blog right away.

One way to clean up your WordPress Database, including old post revisions and items that are in trash, is to use WP-Optimize.  It does a great job at cleaning up bloated databases on busy WordPress sites and keeps them running fast.