This is a false alarm. Many “Security Programs” do that. That’s called FUD.
WordPress does not check the Referer header, because it is often empty, and real spammers send the site URL as Referer anyway.
But all comment field are sanitized, so no harmful code will be injected. Install an anti-spam plugin, and everything is fine. This report is obviously bogus.