Although Zhu discovered the problem on WordPress.com, the problem also affects self-hosted WordPress blogs that use the open source version of the software. On self-hosted versions, however, the login confirmation cookie expires after two weeks and not three years. Self-hosted sites using HTTPS encryption should be safe, however.
WordPress.org developer Andrew Nacin told Zhu via Twitter that this vulnerability will be fixed for self-hosted blogs during the next WordPress release. But it's not clear when Automattic might release a fix for WordPress.com. We've dropped the company a line to find out and will update this story should Automattic company respond.
Sign up for CIO Asia eNewsletters.