With read-only access to the Wordpress database, it is possible to generate a valid login cookie for any account, without resorting to a brute force attack. This allows a limited SQL injection vulnerability to be escalated into administrator access.

http://www.securiteam.com/unixfocus/6D00N1PKAC.html