Here's something I noticed when I was mucking around in SpecialUpload.php today: there's an easily exploitable vulnerability which allows people to delete any file on the hard drive owned by the apache user.

All you have to do is submit a hand-edited URL with wpReUpload set to true and wpSavedFile set to the server path you want deleted.

As a temporary measure, I've commented out the deletion, on the live server.

-- Tim Starling