For the past couple of weeks the information security community has been noticing someone exploiting a new vulnerability in the Wordpress blogging software that lets the attacker inject arbitrary HTML code into the content from outside. So far, what has been seen is an
Peter Hosey has noticed that Wordpress' xmlrpc.php file, which is used by personal blogging clients (as opposed to using your web browser to log into the back-end) is implicated in these shenanigans. I'm not a Wordpress user, but renaming that file to something else (like squid-bacon-and-tomato.php) might slow the attackers down, depending on your sense of humor.
After hearing word of this exploit in the wild, the Prometheus Group developed a mod_security rule that filters out the injected HTML. You can download the virtual patch here and load it into your server's mod_security configuration. As more information is uncovered, the rule will probably be updated or others will be released to the public.
(obDisclaimer: I work for the Prometheus Group. I'm trying to be a good Samaritan by spreading this around.)