Found this bug a few weeks ago but marked it for myself as ugly but uncritical (Hannes will remember, used his blog as test environment). Until today I haven’t changed my mind, because you need a lot of luck to passthrough with this injection. Just a combination of missing Spam-Karma and stupid blog-owner does the thing. So, calm down. Nevertheless: Wordpress is a great bughole, you won’t use it.