I've noticed a couple exploits on more than one of my websites. I don't see them well-documented and I don't think this forum is a good place to post details, or code that I have extracted.
I think I can safely say:
I have noticed two distinct vectors: one seems to involve an attacker creating a new user account on my site, even though this functionality has been administratively disabled. I think this is a "foot in the door" exploit that I don't well understand.
The second vector seems to use a maliciously crafted url that tricks the rewrite engine into decoding a base64 string, creating a new function that contacts a remote server. The remote server then exploits WordPress's access privileges to download new php files that alter how WordPress serves content, and additionally, downloads to the WordPress site a binary file which, presumably, is some kind of payload. I first saw this vector years ago, and have recently seen a more sophisticated version of it that additionally modifies .htaccess to "allow from all."
Here is an example of what it looks like when a remote server issues commands to a compromised WordPress installation under this exploit:
xx.xx.xx.xx - - [28/Mar/2012:09:38:29 -0700] "GET http://www.mysite.com/wp-xrmu.php?f_del_name=master HTTP/1.0" 404 12715 "-" "-"
xx.xx.xx.xx - - [28/Mar/2012:09:38:35 -0700] "GET http://www.mysite.com/wp-xrmu.php?f_del_name=slave HTTP/1.0" 404 12715 "-" "-"
Could somebody official WordPress please contact me about this?