The Plone Security Team has posted Plone Hotfix 20130618 at:
Users of Plone 4.3, Plone 4.2, Plone 4.1, Plone 4, Plone 3, Plone 2.5 and Plone 2.1 should immediately apply this hotfix. Full instructions on applying the hotfix are on the hotfix page.
Please note that there is a version 1.3 of the hotfix. Version 1.0 was discovered to cause problems on Plone 2.1 systems and with certain add ons in other versions of Plone. Version 1.1 also contained a few mintor issues. If you're just getting around to installing the hotfix now or if you're experiencing issues with version 1.0 or 1.1 of the hotfix, please install version 1.3.
The hotfix patches Zope and Plone for a variety of issues, including arbitrary code execution and privilege escalation. Full announcement of the security vulnerability is available at:
If you don't have in-house server administrators, a hosting service, or a service agreement with a service provider who can handle the installation of this patch, there is free support available via Plone mailing lists and the Plone IRC channels. You can also find companies who can help with this by visiting the Plone Service Providers listing.