This is practically content free. If there really is a known security hole in WordPress, I for one would like to know what it is, so I can patch my sites. Vague burblings about XSS just don't cut it. After all, it's possible that his site was exploited prior to 2.8.4 and he just noticed the problems (or the attack has just become active) now.
It's a good thing they've spent so much time focusing on a photo editor!<p>See tptacek's comment about WordPress security <a href="http://news.ycombinator.com/item?id=806760" rel="nofollow">http://news.ycombinator.com/item?id=806760</a>