A Polish security researcher has found a flaw in the latest version of WordPress, version 3.5.1. He reported it to WordPress, but with no response after 7 days he went public
The flaw probably won’t affect too many users. It requires a password-protected page within a self-hosted WordPress site; and almost by definition, bloggers and users of blogging software want to publicize rather than protect their pages. However, if such a page exists and an attacker can find it, he could manipulate the password process to effect denial of service. In announcing the flaw, Krzysztof Katowicz-Kowalewski included a temporary patch that can be used pending an official patch from WordPress.
Fore more informatin refer to the following link: