A security flaw in WordPress 3 allows injection of JavaScript into certain text fields. In particular, the problem affects comment boxes on WordPress posts and pages. These do not require authentication by default.
02864c8b1d8ce4fe8f2269a04a424fa54ebc581ac541b6681c57d7abdb8251f1