Lorrelle is urgently warning:
Otto42 of OttoDestruct, a key WordPress developer and supporter, reports that there is an “attack” on older versions of WordPress right now. The number of sites hit by this is growing every hour. Protect your WordPress blog now: UPDATE NOW!!!
Update your WordPress blog before you continue reading this post. That’s how critical this issue is.
If you blog with a private installation of WordPress, heed the warning. Update now.
Then read the rest of what Lorrelle on WordPress has to say: Old WordPress Versions Under Attack.
Mark Ghosh of weblogtoolscollection weighs in as well:
Older version of WordPress are being attacked and characters are being added to the permalinks. Sure signs of the attack include strange characters in your permalinks (single posts do not work) and an extra administrator account in the users control panel which you cannot see. Look for the administrator count in brackets at the top. Is the number there what you would expect on your blog?
Please upgrade your WordPress blog to the latest version ASAP. Our own PluginBlog was vulnerable and was compromised (shame on me for not having upgraded from a really old version). Our blog had registration turned off.
After upgrading your blog and changing your password to a strong one, you can visit Lorelle’s post to find more ways to secure your install and remove the extra admin account that might have been created as part of the attack.
If your WordPress blog is not hosted at wordpress.com — I urge you to update your installation. Now!