The hacker gained user-level access to one of the servers that powers wordpress.org, and modified two files to include code that would allow for remote PHP execution. Although details are sketchy, the WordPress blog details problems with the wp-includes folder, especially the theme.php and feed.php files and any query string with “ix=” or “iz=” in it.
WordPress recommend upgrading to 2.1.2 immediately. The latest .zip and tarballs can be found here.
This issue comes at the same time as the PHP Security blog attempts to raise awareness of general PHP vulnerabilities. Not a great time for the PHP folks.