The new wordpress 2.6.2 has been released. If you allow user registration, it’s highly recommended you upgrade immediately.
In versions 2.6.1 and earlier, it’s possible for one to create a username that is then able change the password of another user. Although this randomly generated password isn’t revealed to the attacker, it’s still an annoyance if your password gets randomly changed constantly.
Time to upgrade WordPress ASAP! Ive upgraded mine 
