The WordPress community has been vigilant in ensuring that WordPress is as secure as possible against any malicious attacks, the development userbase prying even further than Automattic itself in scouring the code for any possible vulnerabilities. The result of this thoroughness is the 2.8.4 update.
Automattic describes the small but important patch thusly:
“A specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner.”
It is strongly recommended that all custom WordPress installations apply this update immediately.
If you haven’t already, you can apply this update via the simple upgrade button visible from your admin panel. As always, you may want to backup your database if you have any uncertainty about this patch, your installation or otherwise.