From the official "WordPress.org blog":http://wordpress.org/development/2008/04/wordpress-251/:
bq. Version 2.5.1 of WordPress is now available. It includes a number of bug fixes, performance enhancements, and one very important security fix. We recommend everyone update immediately, particularly if your blog has open registration. The vulnerability is not public but it will be shortly.
If you run a WordPress site, and haven't already implemented this new security update, doing so now is your best bet to prevent your site from being victimized. Once hackers can reverse engineer the vulnerability, there will probably be attacks on sites running earlier versions of WordPress.
Badware distributors have attacked WordPress sites before, most notably with the recent "wp-stats iframe":http://blogs.stopbadware.org/articles/2008/02/18/stopbadware-discussion-.... At StopBadware, we're still hearing from website owners whose sites are running older versions of WordPress and are being compromised with wp-stats, which exploits a vulnerability that's now several months old.
Our advice for owners of WordPress sites? As StopBadware volunteer Steven Whitney wrote during the previous wave of attacks:
bq. New versions of WordPress should always be installed promptly because the popular blogging software is heavily targeted by hackers using automated crawlers. You can register at "http://wordpress.org/":http://wordpress.org/ to receive email notifications when new versions are announced.