The great minds behind WordPress discovered another vulnerability yesterday: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. That would mean that the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. While this doesn’t mean the attacker could access your account it is still an annoying thing to happen.
As such, please update your WordPress installation as soon as you can and download WordPress 2.8.4 from here.
