Hackers can hijack a WordPress site through a public Wi-Fi connection because WordPress servers send the "wordpress_logged_in" cookie in plain text, instead of encrypting it.
The technique makes use of XML-RPC, a protocol used by a range of WordPress and other blogging software to provide pingback, trackback and remote access on mobile devices to some users.
More than 162,000 WordPress sites were used to launch a large distributed denial of service attack against a target, according to security firm Sucuri.
WordPress is working on writing and editing in place.
WordPress delivered its latest update this week.
Vulnerabilities in WordPress continue, with the latest example being the website hacking of Canadian internet services company Storm, reports Chris Larsen, a security researcher at BlueCoat.
WordPress 3.7 is here.
Automattic bought startup Cloudup last week.
Today's content management systems are a marked improvement over website production tools of the 90s, but that's probably little consolation to today's users struggling to make their CMSes work.
State-sponsored hackers are making use of web services, such as Dropbox and Wordpress, as part of their attacks.