The finalized version of WordPress 2.8 was released today. The changes made include better widgets, a theme browser/installer, performance upgrades, and over 790 bug fixes. The widget admin interface has been changed to allow for making immediate edits to widgets, having multiple copies of widgets, and the ability to save settings for inactive widgets. A new widget API should allow for developers to create improved widgets.
On the security front, changes were made that should improve plugin security from cross-site scripting (XSS) attacks. An empty index file has been added to the plugin directory so that servers that are configured to show the contents of directory when no index file exist will no longer show potential hackers what plugins are located in the directory that they could attempt to exploit.
A full lists of changes in 2.8 is available at the WordPress Codex.
According to a post by Matt Mullenweg on the WordPress Blog possible improvements in versions 2.9 and 3.0 include “improved media handling, better dependency checking, versioning of templates and themes, and of course the fabled merging of WordPress and MU.” Version 2.9 will also requireMySQL 4.1.2 or higher, up from the current requirement of 4.0.