Team WordPress (news, site) has discovered and destroyed another security bug. This particular problem was considerably more serious than the privilege escalation issues we saw in the last security update, but still not terribly detrimental.
Via a specially crafted URL, an attacker could bypass a security check to verify a user requested password reset. In the event of an unauthorized reset, the first account without a key in the database (usually the administrative account) would have its password reset, and the new password would be emailed to the account owner. Says Matt Mullenweg, founding WordPress developer: "This doesn’t allow remote access, but it is very annoying."
As usual, the WordPress development team was quick to fix the issue, and version 2.8.4 can be downloaded here.