The attackers can cause a denial of service via a comment with a crafted URL that triggers many recursive calls, because the make_clickable function in wp-includes/formatting.php does not properly check URLs before passing them to the PCRE library.
Update WordPress.