This has been reported.
For various reasons, the core WordPress developers (that is, Ryan and Matt) do not discuss WordPress exploits until a patch is available, and a release plan is in place.
The vitriol about unpatched vulnerabilities is mis-placed. Matt and Ryan have an obligation to make sure that the problems they fix do not cause more trouble. We experienced this with 126.96.36.199, which was released to fix a problem, and ended up introducing additional problems.
And as I said, it involves more than just patching. The patches need to be sufficiently tested. The upgrade process needs to be supported by the volunteers here. Simply releasing a new version, and saying "here you go!" would do more harm than good.
I'm not thrilled about the existence of security vulnerabilities; but it's a fact of life that they'll always be present. WordPress is an increasingly complex piece of software, and although Matt and Ryan make an effort to be security conscious in their coding, they are after all human beings. We all make mistakes; we all have bad days; we all overlook some things.
You can help, rather than complain.
Every single reader here is invited to participate in WordPress' development. If you notice problems, please log them at trac.wordpress.org. If you discover a severe vulnerability, email firstname.lastname@example.org. The Open Source mantra is "With many eyes, all bugs are small." By working together, we can squash bugs and make sure that WordPress is as secure as it can be.