WordPress rolled out WordPress 2.8.4 as a security release on August 11 just eight days after releasing 2.8.3 and 22 days since 2.8.2.

The latest security release included a vulnerability that when using a specially crafted URL, would allow an attacker to bypass a security check to verify a user request to do a password reset.

As a result; the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner.  While this wouldn’t allow remote access, it would be very annoying if your account was continously reset with a new password.

Check out this post from Theme Lab for more about this exploit.

You may download the full package here or update internally via WordPress’ version upgrade option in the admin section.