Version 2.8.4 of WordPress has been released earlier today to patch a security vulnerability the enables an attacker to reset the admin user’s password, causing WordPress to send the new password via email to the administrator.

While this does not allow the attacker to gain access to the system, it does cause the server to keep resetting the admin password, sending a flood of emails to the administrator’s mail box.

You can find more information about the issue on the official WordPress site.