Yes, those claims are pretty valid. My Anti-Virus software just warned me of it while browsing though the blog.
The forums are okay though, it's just the WordPress installation he has. It's outdated. Someone or something found a security exploit in it, injected some code, and comprised the security of his site. He just needs to update is all.