Dr. Dave (author of Spam Karma) offered this deliberately non-specific warning on his blog today about a potential exploit related to enabling user registration in all current versions of WordPress.
He hesitates to give the details of the problem, since the lid is apparently still on pretty tightly, and so far there are no exploits “in the wild”. I generally disagree with this approach to security announcements, and have some issues with this one in particular, which I can elaborate on if anyone’s really interested, but it may be wise just to heed his advice for now until more info is uncovered.
The worst that could happen is it’s just a big practical joke to see how many people will respond to him “crying wolf”, but I don’t think he would really do that. The odd thing is that he said the WP developers have been notified, but Matt hasn’t heard anything about it.