Yesterday my server was hacked and all index* files on my entire server including wordpress installs were defaced by crackers_child. I particularly noticed that even after restoring the index pages the blog would show the culprit HTML at top of each page and then I noticed that the HTML was actually in wp-includes / default-filters.php.
I googled and it sees there is already an advice about a vulnerability in this Php used in wordpress mentioned at http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4743.
I always run the latest stable version of WordPress and it really alarms me that a hacker was probably able to deface my entire site using this vulnerability.
Is the WordPress developer community listening?