The attackers can forge cookies by registering a username that results in the same concatenated string, because the cookie authentication method relies on a hash of a concatenated string containing USERNAME and EXPIRY_TIME.
Update WordPress to version 2.5.1.