I seem to have this same issue with the latest version of WP. I am given the option of using thumbnail or original – however, whichever I use is limited by height tag to the thumbnail size. I have to toggle to html and remove the height tag for the original to show.
We discovered the possible security flaw is in fantastico – the cpanel plugin that allows a one-click wordpress install. Apparently, if you use the same username/password for wordpress as your ftp access, there is an exploitable opportunity for a hacker.
I had my wordpress blog hacked last week…. we worked out the only realistic reason was that the blog was created using fantastico – which is a cpanel plugin. If you happen to use the same username/password as your ftp during your fantastico wordpress install – it seems there is a security flaw.
