Got this off Lorelle who got this of the creator of Spam Karma, Dr. Dave. It’s a massive security flaw that affects any and all users of the standalone version of wordpress both 1.5.X and 2.0.X and not WordPress.com or any WordPress Multi User versions. In Dr. Dave’s words from his post:
If you are running WordPress as your blogging platform and if you have been trusting enough to leave User registration enabled for guests, DISABLE IT IMMEDIATELY (in wp-admin >> options: make sure â€œAnyone can registerâ€ is not checked).
Additionally, delete or disable ANY guest account already created by people you are not sure about.
Apparently there is an exploit that allows registered guests to start making a whole mess of your account even if they are set to being “Subscribers” and if you’re one of those people who turned it on because you wanted added moderation for your comments, you’re going to be inviting a lot of trouble if you leave it on.
Until now, I can’t really confirm or deny that there is a serious exploit in WordPress on any of my sources, but if memory serves me right, actually confirming that on public channels is just inviting a whole lot of problem for the rest of the community anyway since it’ll be open knowledge for any yahoo with too much free time on their hands to start exploiting the flaw.
For now though, I’m trusting the source and I recommend that you do the same thing too especially if you’re a WordPress user who has their registeration turned on. It can’t hurt to do that for now. After all, it’s better than to turn it off until a patch is released which won’t be for a little while. I’ll keep an eye out if there are anymore developments, but in the mean time…keep your guard up and your eyes open. You don’t want to have your entire account hijacked now do you?