The latest version of Wordpress is exploitable by what seems to be an 0day exploit. There is no patch on wordpress.org. Here's the actual exploit:
pastebin - collaborative debugging tool
It looks like it's an issue in wp-trackback.php
Temporarily disabling trackbacks should be a work around for now. Nothing has been testing though....