WordPress 2.8.4 has just been released to the public. This version is to patch a vulnerability that was discovered yesterday – a specially crafted URL could be requested that allows an attacker to bypass a security check to verify a user-requested password reset.
As a result, the first account without a key in the database (which is normally the admin), would have its password reset, with the new password emailed to the account owner. Although this does not allow any form of remote access, but it can be quite annoying.