SecurityFocus has posted about a potential vulnerability in the WordPress comment field. The details state that it may be possible to inject HTML into the comments field of a WordPress blog and get it to execute in the context of the site. No update has been announced at this time.
In a somewhat related article, SecurityFocus also published a story based on a study by David Kierznowski. In the study, He found that only one in fifty WordPress blogs sampled had been upgraded to the newest version. WordPress seems to issue a new version in order to patch the code base in response to security vulnerabilities and bug fixes, so these unpatched installs are probably open to some tomfoolery. Lack of technical know how and non-functioning plug ins are quoted in the article, but from reading posts on the Internet, it seems that apathy and frequent releases are also a contributing factor to falling behind on updates.