As lot many people are starting their own blogs these days and picking WordPress as a platform for that, this is why the security of the WordPress platform is really important concern for WordPress community. This time they have come up with WordPress 2.8.4 Security Release because of that only.
The concern was related with the Admin account password reset. A specially designed URL could be used to reset the password of Admin and mail that to the account owner by bypassing the security check. Excerpt from the WordPress.org release is as below:
Yesterday a vulnerability was discovered: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying.
Changes are done for this fix. The only component changed for this concern is “wp-login.php”. You can download the changed component from the link provided below and replace them in your WordPress installation to upgrade your WordPress from 2.8.3 to WordPress 2.8.4 or you can choose auto upgrade from the WordPress admin dashboard. If Auto upgrade of wordpress is not working then replace the below mentioned files from the below linked updated component.
Components needs to FTP are as below:
1) wp-login.php in root folder
2) version.php under wp-include folder
If you are just stating a fresh blog on WordPress, then download the latest version of WordPress from here.