Important Security Information – Updated

This thread is void due to the release of 1.5.2.
Go here: http://wordpress.org/support/topic/41866
======================================

You must UPGRADE to 1.5.1.3 first!

WordPress version 1.5.1.3 is remotely exploitable if the web server on which it runs has register_globals = on in the PHP configuration. perl and PHP code exists to automatically exploit vulnerable WP 1.5.1.3 sites, allowing the attacker to (try to) execute code on the victim’s account.

==Are You Vulnerable?==
To test if your web server has this PHP option enabled, copy-and-paste the following PHP script, save it to your web site as rg.php:

<?php
if ( ini_get(‘register_globals’) ) {
echo “REGISTER_GLOBALS IS ON”;
} else {
echo “register_globals is off”;
}
?>

Then load that page in your browser:
http://example.com/rg.php
If register_globals is off, you may stop reading: your site is not vulnerable to this attack.

==How to protect yourself==
Download the revised wp-settings.php file. This revised version includes specific code to thwart attacks that leverage register_globals.

To use the revised wp-settings.php file, please first make a backup copy of your existing wp-settings.php file, then simply transfer the new version to the root directory on your site.

We strongly encourage security in depth. In addition to the fix above, you are encouraged to disabled register_globals for your site. Most users will be able to edit your .htaccess file, and place this at the very top:
php_flag register_globals off

(Note: on some hosts you may need to take additional steps in order for this option to have an effect. For example, Dreamhost users will need to visit their control panel and uncheck the option to “Run PHP as CGI”.)

If you control the server, you may edit php.ini and disable register_globals. You will need to restart the webserver after making this change.