Yesterday my friend Robert Wood reset the administrative password on my site. Rather than be upset – I’m delighted. Robert was notifying me of a flaw in the WordPress software that allowed anyone to reset the administrative password of a blog.
While this did not provide access to the administrative account (the password reset was only sent out via email to the registered account holder) – it did expose a weakness. If someone also had access to the email account affiliated with the administrator they could potentially hijack this password reset and gain access to your WordPress site.
Version 2.8.4 of WordPress is available and I recommend you upgrade immediately.