There seems to be growing evidence that the XSS vunerability in versions of WordPress before 2.8.2 is now being exploited for real in the wild. The manifestation seems to be that, after recieving a maliciously-crafted comment, affected blogs display a login panel
Title: Authentication Required
Text: The server (yourserver) at Magic requires a username and password
It would appear at the moment as though the malicious content can be removed by replacing wp-includes with a fresh copy from the WordPress source for your version. But if I were you I wouldn’t take that chance. I’d upgrade to 2.8.2 now. Otherwise you can’t really be sure that the hack hasn’t stolen any credentials, or caused other changes.
