The developers of Automattic sent letters to users of the official WordPress.com iOS app. The authors of the popular CMS warned about the elimination of a dangerous bug due to which user authentication tokens could be available to third-party sites. The fix was included in version 11.9.1.
The developers write, that the problem appeared in the code back in January 2017 and only affected the operators of those sites that host images on external services such as Flickr. Also, the site, of course, had to be viewed or edited through a vulnerable application.
The vulnerability was reported not to affect usernames and passwords, but only the authentication tokens used by the app to communicate and authenticate with WordPress.com.
This basically means that if a WordPress site owner used the official iOS app to create or edit a post, and that post contained an image from an external source, that source may have received a WordPress.com token by mistake. Unscrupulous site owners can use such tokens deposited on their servers for their own purposes, as they allow you to log in to WordPress.com without a password.
The developer's message emphasizes that the bug did not affect self-hosted WordPress sites, as they do not use WordPress.com in the authentication process. The Android app version was also unaffected.