According to Donncha O Caoimh of Automattic, this exploit took advantage of a vulnerability that has been fixed in the latest stable version of WordPress, 2.5.1. As he points out, although 2.5.1 sites have succumbed to the attack, the evidence so far is that they were compromised prior to being upgraded. O Caoimh has a thorough description of how to identify this hack, how to avoid hacks in general, and what to do to recover from a hack in general. If you manage a WordPress blog, you should read his post.

This topic has appeared in the WordPress bug tracker, on the WordPress.org support site, and a number of people have blogged about it.