Ok here is a question to the Monero development team. I am not a coder nor a technical person. What is the RPC mode there for and what can I use it for as an ordinary user?
I ask because a possibility of someone controlling your wallet remotely should not be taken lightly.
I'm not (at all!) in the monero development team. And apparently (and happily) I was wrong on the RPC function to be enabled by default, which makes this vulnerability much, much less severe.
RPC is actually allowing instructions over the network, a bit like if you were "in the application interface". Now, the "network" can be limited to the "local machine". This is strange at first sight, but it means that certain applications on the local machine can do "network calls" to the other application that has RPC. The local network has IP address 127.0.0.0. It is not accessible from outside. So you would think that RPC calls ON THE LOCAL MACHINE to itself, are no problem.
The vulnerability is that a browser executing code in a web page, IS on the local machine, and CAN do local network calls. So the web page can contain network call instructions to the local machine and hence, push instructions to every RPC application that listens to them.
Usually, you can protect network access with a password, but sometimes people don't do this on the local machine, as they - erroneously - consider that the local machine is safe. The point with web browsers is that they execute code from a foreign web page on the local machine, and that's the loophole that is exploited here.
So you are in danger if:
1) you have activated the RPC function in your wallet without password
2) you have opened your wallet
3) you use a web browser on the same machine while having opened your wallet visiting a page that contains these instructions