The problem on phones affected by this issue is that apps granted the ACCESS_WIFI_STATE permission can do more than simply check on the status of your Wi-Fi connection; these models return such requests with full Wi-Fi password details. An app with both this and Internet permissions could, in theory, go about surreptitiously harvesting your stored Wi-Fi network passwords.
Models affected include the Desire HD, myTouch 4G, Desire S, Sensation, EVO 3D, Droid Incredible, and the Thunderbolt 4G. The good news is that HTC was made aware of this problem a while back, and has been hard at work preparing updates to correct things. Most of these have already been distributed during previous maintenance releases; for the rest, HTC will have manual updates ready in the next week or so. It hasn't said just which of those phones have already been patched, so we'll have to wait until next week to learn who still needs to install the fix.