Continuing the shitshow, WordPress 2.8.3 had a vulnerability that allowed attackers to reset users’ passwords. From some random site:
We noticed a security vulnerability in WordPress 2.8.3 yesterday (and earlier versions as well) that allowed an attacker to reset passwords of users. While this vulnerability could not be exploited to gain access to the user account (unless access to the email account the password was send [sic] to was available as well) it could be used to annoy those users especially when combined with an automated script that would reset the password every seconds or minutes.
It turns out that we were a subject of just such an attack sometime in the last few hours. If you can’t get in, let me know.
We’ve updated to 2.8.4. This is another tick in the “Drupal” column I keep in my head.