Matt Mullenweg has released Wordpress 2.6.2 an open source (GPL) blog engine based on PHP and MySQL. "With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password. The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit. However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password." All users should upgrade. If you don't have time to upgrade at the moment, turn off registration.