It seems the WordPress developers have made some wrong decisions in their use of MD5. Full details are in this announcement. In summary, the hash in the cookie for authentication contains MD5(MD5(password)) and the database MD5(password). This means that anyone with access to the hash from the database can pretend to be this user. Whoops. This shows that once again that security is hard as people consistently make the same mistakes.
More details and background on the Security Group blog.