There seems to be growing evidence that the XSS vunerability in versions of WordPress before 2.8.2 is now being exploited for real in the wild. The manifestation seems to be that, after recieving a maliciously-crafted comment, affected blogs display a login panel

Title: Authentication Required
Text: The server (yourserver) at Magic requires a username and password

It would appear at the moment as though the malicious content can be removed by replacing wp-includes with a fresh copy from the WordPress source for your version. But if I were you I wouldn’t take that chance. I’d upgrade to 2.8.2 now. Otherwise you can’t really be sure that the hack hasn’t stolen any credentials, or caused other changes.

BBC News is just one place that has noted the security hole in AOL instant messenger. The original advisory is here if you can get to it.