It really wasn’t long ago when WordPress released 2.8.3 to patch up few bugs in August 3. And just today, WordPress had released another security fix 2.8.4. The description of the fix says:
…a vulnerability was discovered: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying.
Well, any security issue having to do with the login process should be taken seriously. It wasn’t long ago a friend (and client) of mine got hacked. Thankfully, access was only in WordPress and all entries were untouched.
Therefore, always keep your WordPress up-to-date. And if you’re too lazy, read the changelog before having to upload and upgrade your WordPress installation then.