There is a vulnerability that allows any unauthenticated user to wipe the entire database to its default state after which they are automatically logged in as an administrator.
v1.6.2 was released with an insufficient fix, allowing attackers to still exploit the issue using a CSRF attack.
v1.6.3 released with nonce fix.
Proof of Concept
By sending a call to /wp-admin/admin-ajax.php?action=anything&do_reset_wordpress=1, the database will be wiped and we will be logged in as "admin" if the "admin" user exists in the users table. Authentication is not required.