According to a Finish security research firm, tens of millions WordPress websites are vulnerable. Apparently the bug was released with WordPress 3.0 back in 2010, the attacker needs a text entry field such as the comment form which is enabled by default.
Statement from Klikki:
“An attacker could exploit the vulnerability by entering carefully crafted comments, containing program code, on WordPress blog posts and pages. Under default settings comments can be entered by anyone without authentication (login).
Program code injected in comments would be inadvertedly executed in the blog administrator’s web browser when they view the comment. The rogue code could then perform administrative operations by covertly taking over the administror account.
Such operations – demonstrated by our proof of concept exploits – include creating a new administrator account (with a known password), changing the current administrator password, and in the most serious case, executing attacker-supplied PHP code on the server. This grants the attacker operating system level access on the server hosting WordPress.
Exploitability without login, under default settings, and the server-side impact make this probably the most serious WordPress core vulnerability that has been reported since 2009.”
The company has now worked with WordPress to solve the problem and patches have been released and will be deployed automatically.