PC World reported today about a problem that can allow hijackers to get into both WordPress.com and self-hosted WordPress sites. The reason is that the login cookie (which tells WordPress whether or not you’re logged in) is sent to the browser in plain text format rather than being encrypted. This plain text cookie can be grabbed by any hacker on the same open Wifi network and then your account can be used in many unpleasant ways.
WordPress.org sites are not affected as severely because their login cookies expire in two weeks. With WordPress.com, they are valid for three years, meaning a hacker could have a very extended period of access to an account. The vulnerability will be fixed in the next release of self-hosted WordPress, according to developer Andrew Nacin, but it could be awhile before WordPress.com gets a fix. Read more about the login cookie issue.