I highly doubt Wordpress.com is storing the passwords in a reversible encryption, or in plain text. It seems to me that when the user hits that page, the password is generated and displayed.
Yes it should be https at the least, but aren't you going to go in and change the password immediately anyways?
You'll see that there is a box for your password and a confirmation of the password, so that leads me to believe that they are actually sending the user the password they created the account with, rather than a randomly generated one. Otherwise, why have the input fields there at all?
Therefore, they must be storing either plain text or two-way encryption.
I agree, the main issue here is that they're not using SSL during these steps, and the second is that they don't recommend changing your password from the generated default.
Yes it should be https at the least, but aren't you going to go in and change the password immediately anyways?