Apparently, there was a flaw in KSES, which is used in “lots of places” according to WordPress chief Matt Mullenweg.
You used to be able to hack into different parts of WordPress sites if you just changed a few letters from lowercase to uppercase. You’d also have to be quite a jerk and have time on your hands.
So, now the security fix is out and it only affect security, so you don’t have to worry about updating WP and having plugins and themes break. It does happen sometimes.