WordPress team has released a new update to the 2.6 branch which addresses issues when your blog has public registrations open.
If you allow open registration on your blog, you should definitely upgrade. With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password. The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit. However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password.
This definitely looks a problem good enough to upgrade your WordPress right away, The exploit is not yet known and it is advised that you upgrade before the finder of the exploit makes the findings known to general public.
We have already updated to the latest version, since we have public registration open using WPAU, if you want to upgrade to WordPress easily, try this Google search and you will find what we are talking about