The worm is able to attack versions of WordPress prior to 2.8.4 and its immediate predecessor. Version 2.8.4 was released in early August to specifically address this flaw, which results in a password reset of WordPress accounts and allows someone to take control of the admin account. Doing so would give the person access to further information, as well as the ability to wreak havoc on the blog itself.
Though the vulnerability was initially published several weeks ago, this is the first report of malware specifically identifying and trying to exploit it. The WordPress developer is concerned that many servers are still running old versions, which puts them at risk. If you're maintaining a WordPress server that's behind on updates, consider this a heads up.