@phpdeveloper.org
Aaron Wormus has a new post on his blog with a security notice that anyone using XML-RPC in their PHP applications should read.
No word yet as to whether or not Wordpress is effected by this yet. I just saw Mike's blog drop off the radar, and since I'm not using the xmlrpc, I'll settle with removing the interface until I get more details.
Note: According to this post the most recent release fixes this issue. Deleting xmlrpc.php is recommended if you can't upgrade now.
Hardened-PHP Project forum / PHP XMLRPC Bug in numerous applications
The basic flaw here is that:
Basically, one can POST the exploit code directly into the vulnerable application and own the underlying server with a few clicks while only one POST request shows up in the server's access log.
A *very* dangerous situation...so, if you're using one of the many XML-RPC enabled applications out there (i.e. Serendipity, Drupal, XOOPS, phpMyFAQ, etc), it's recommended that you upgrade immediately (if your software has a fix).
For complete information, see this forum post...
UPDATE: this is also a problem with the PEAR::XML_RPC library, (as mentioned by Tobias Schlitt here) but, thankfully, you can updagrade to version 1.3.1 to fix the issue.