Someone breaking into a Wordpress install due to a plugin's 0-day for example, and then being able to log into all the accounts managed by that WP's openID server.