WordPress announced the discovery today, saying that a security bug which has already been fixed is now being exploited in the wild. The worm is able to attack versions of WordPress prior to 2.8.4 and its immediate predecessor. Version 2.8.4 was released in early August to specifically address this flaw, which results in a password reset of WordPress accounts and allows someone to take control of the admin account. Doing so would give the person access to further information, as well as the ability to wreak havoc on the blog itself.