WordPress 1.5.2 has been released in response to the vulnerabilities. Unfortunately I had to tell the authors, that while they have properly fixed the SQL injection vulnerabilities which I had disclosed to them 26 days before, they have not properly fixed the remote code execution exploit.

With a trivial modification of the published exploit code, it will still work against WordPress 1.5.2. A fix for this has been commited 2 days ago, after I have sent them the necessary code.

Yeah and it is still reported that some "experts" claim this is a vulnerability in PHP and not in WordPress. When the pope visits cologne in 2 days I maybe should ask him how to deal with false prophets.

Update: The WordPress 1.5.2 tarball was silently replaced with a fixed one most probably 9 hours after the original release. So some who have updated are vulnerable and some not.