When posting comments,WordPress does not require a nonce value (unless posting unfiltered HTML). This means that an attacker can force a logged-in user to post arbitrary comments.
For this to happen, the logged-in user would have to be tricked into clicking on a link controlled by the attacker. It is easy to make these links very convincing.
The line which verifies the nonce when using unfiltered HTML is line 154 of wp-comments-post.php.
EDIT: this issue has been known about since 2009, but it appears that no fix is planned https://core.trac.wordpress.org/ticket/10931
Current state: Reported
Log in, visit an URL containing the following (replacing localhost as appropriate, replacing 1 with the ID of a post), click submit:
<form method="POST" action="http://localhost/wp-comments-post.php"> <input type="text" name="comment_post_ID" value="1"> <input type="text" name="comment" value="UH OH"> <input type="submit"> </form>
Disable comments until a new version is released that fixes this bug