Well, technically not WordPress, but your hosting is probably vulnerable.
From http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?articleID=224300052&cid=nl_DR_DAILY_2010-04-13_h if you want to read the whole thing.
There was an attack on WordPress blogs hosted at Network Solutions, but your host is probably guilty as well.
The gist of what happened is the wp-config.php was readable by the world and the crackers got access to the database passwords and logins which are stored in that file in plain text.
It is a WordPress problem because that was considered best practice. In reality, none of your files need to be world readable. They only need to be readable by the web server, so you can safely eliminate any world read permissions, unless your host is lame.
If that is over your head don’t panic. Just ask your host.
Here is a quick screen capture I put together:[youtube:http://www.youtube.com/watch?v=g7bVVFr6CXE]
Please leave me your comments below, and report any lame hosts that won’t let you run your website without wide-open permissions.