According to Dr Dave there is a serious security flaw in all versions of WordPress. His advice is to immediately disable the “anyone can register option” (Go to the admin panel, under Options->General, about half way down the page) to protect yourself in the meantime.

He is not official WP personnel, but from previous reading around the ‘net, he’s clearly a well respected player. I don’t get many registrations in the first place, so I’ve gone ahead and turned it off myself. I’ll keep y’all posted when I get any more info.