Not entirely. Unlike message "copyright", the message used on thumb.php ("badtitletext") is not a "raw html" message. It is meant to be parsed and displayed regularly. And always was. Except it was re-used for thumb.php, and forgotten to be parsed there. I won't go into details, but it's exploitable under the right circumstances.
-- Krinkle
I don't disagree that its a bug, but in order to exploit user would have to: *Convince user to go rather obscure thumb.php page *already have the ability to add javascript to any page on wiki
In which case, why wouldn't evil malicious user just insert javascript on the normal page everyone is looking at. That's both more effective, and probably less noticeable. Thus I don't see how it exposes any new security issues that aren't already present. Of course I may simply just be missing the nature of the "circumstances" that you reference in your comment.
--bawolff
p.s. Given there is now a fix released, I think its important to be able to have frank discussions about security issues. After all, the best way to prevent future security issues is to make sure everyone understands the past issues, so that people don't make the same mistake again.