A hacker or malicious site can connect to the wallet using default JSON RPC interface and pass it an arbitrary console commands, including export keys.
Wallets without a password are most at risk. If the wallet is encrypted using a sufficiently complex password, it is relatively safe, if the owner does not commit transactions or other actions that in a short time leave the purse unprotected.
The vulnerability also applies to copies of Electrum, for example, Electron Cash.
The vulnerability was partially fixed in version 3.0.4, which is available on the website Electrum January 7, and on the night of January 8 published version 3.05 that fixes the vulnerability is more reliable by disabling the JSON RPC interface when running the GUI wallet, as well as protecting it by a password by default.
All users of this wallet you need to install the hotfix before continuing to use the wallet.