WordPress 1.5.2 has been released in response to the vulnerabilities. Unfortunately I had to tell the authors, that while they have properly fixed the SQL injection vulnerabilities which I had disclosed to them 26 days before, they have not properly fixed the remote code execution exploit.
With a trivial modification of the published exploit code, it will still work against WordPress 1.5.2. A fix for this has been commited 2 days ago, after I have sent them the necessary code.
Yeah and it is still reported that some "experts" claim this is a vulnerability in PHP and not in WordPress. When the pope visits cologne in 2 days I maybe should ask him how to deal with false prophets.
Update: The WordPress 1.5.2 tarball was silently replaced with a fixed one most probably 9 hours after the original release. So some who have updated are vulnerable and some not.
Because the WordPress developers try to hide the fact that they acted irresponsible, by writing things into their own blogs that are far from true, here a little clarification.
The remote code execution vulnerability in WordPress <= 126.96.36.199 was originally reported by someone else, not me. It got obviously fixed in their subversion tree and some hours later someone posted an exploit for this to the security mailinglist full-disclosure. I reported some (4!) days later about this in my blog, because I had also reported SQL injection holes in WordPress <= 188.8.131.52 26 days before and there was still no fix in subversion or a new updated version.
The original tarball of WordPress 1.5.2 was created at 21:06 CET on the 14th August. I downloaded it some time after when coming back home. I immediately saw that the bugs I had reported were fixed, but that the remote code execution flaw was not fixed. At 23:16 CET I sent a mail to Matt telling him about the bugs and sent him a fix. Unfortunately I sent him the wrong code and had to resend it. Matt did not understand the problem from my first mail and therefore at 2:xx CET we mailed again. According to the timestamp of the WordPress 1.5.2 announcement on wordpress.org it was written at 23:17 UTC which is 1:17 CET. This means when the announcement went public Matt had not understand the problem yet. At 5:56 CET I received a mail saying that he had fixed it. The subversion timestamp of his commit says that he commited at 5:57 CET and the replaced tarball has a timestamp from 6:02 CET.
With a bit of math you will realise that there is a difference of 9 hours between the creation of both tarballs and that there are 4 hours and 45 minutes between the announcement on wordpress.org and the creation of the fixed tarball.
When spreading the lie that the announcement was released after the tarball was fixed, they forgot that tarballs and blogpostings have timestamps in it.