Sucuri just released notice of a Stored XSS vulnerability within Akismet 3.1.4. Unfortunately for this scenario Akismet is installed by default across millions of WordPress websites – and not every webmaster keeps their website scripts updated (even though you all should!). The current vulnerability affects only those websites who are running Akismet v3.1.4 or lower, and also have the Convert emoticons to graphics on display option enabled (again the default on new WordPress installs).
For more details regarding the vulnerability check out the post over on the Sucuri blog. Otherwise make sure you have updated to Akismet v3.1.5 to patch this vulnerability on you’re websites.