The Register mentions an attack on WordPress blogs that tells users to upgrade to a bogus 2.6.4 version of WordPress.
This attack seems to be taking advantage of the security vulnerability that necessitated WordPress 2.6.3, whereby if an attacker could get control of an RSS feed that you publish on your blog (for example using the RSS widget), he might be able to execute any commands.