It turns out, that the WordPress developers are not only slow in dealing with security holes, but totally irresponsible. It has come to my attention, that after I had disclosed to them, the obvious flaws in their security fix, they have silently replaced the release tarball of WordPress 1.5.2 with a fixed version at an unknown point in time during the last 2 days.

This means everyone who upgraded within the first day is most probably still vulnerable to the exploit. It is hard to guess how many people are affected, because the change of the tarball was performed without any notification of me or their users.

Update: from looking into the tarball timestamps, there is atleast a 9 hour time windows between both tarballs.