I am running WordPress 2.5.1 and have had the following take place over the last 24 hours: people are able to search for certain strings containing code in the form of entities and "img+onerror" and are able to redirect the WP search results to outside sites.
This is a web server log that includes the relevant lines of activity:
You can see a sample of such redirects, now indexed by Google, here:
This is an example of the rendered search page that is returned:
I have done my best to lock down the blog but this is beyond my ken. I am currently looking for a way to disable searching for encoded entities in the search field, since it looks as though the search results page is interpreting them, which allows the hack to work. Also, it would be best if the "img+onerror" could not be passed this way.