WordPress have released a security patch /update today, to address a small loophole that would let a specifically constructed URL to request a change of admin passwords. This would affect the Admin account that is created when you first set up a WordPress installation, whilst not giving outside access to the hacker, it would mean that you as Admin for your site would have to do some very confusing stuff to Log in to your site. It is recommended that you set up a secondary Admin user as well just in case on account is compromised.
Yesterday a vulnerability was discovered: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying.
In real time, the update didn’t show up in my Dashboard till some time today, and I haven’t read of any problems, or sites hacked with this problem yet! Thanks to a heads up on a Forum I’ve been frequenting lately, which helps with my custom theme, I had everything in place to be sure if any thing happen I could override any changes with my other Admin account.
If you just HAVE to stick to non-updated WP, best advice I can think to consider would be the creation of an additional admin-level account.
It’s better not to be complacent, even if you have to update manually, do it today!