Oops. It turns out that there is a vulnerability in many WordPress themes that allows for arbitrary upload and execution.
From mm:
An image resizing utility called timthumb.php is widely used by many WordPress themes. Google shows over 39 million results for the script name. If your WordPress theme is bundled with an unmodified timthumb.php as many commercial and free themes are, then you should immediately either remove it or edit it and set the $allowedSites array to be empty. The utility only does a partial match on hostnames allowing hackers to upload and execute arbitrary PHP code in your timthumb cache directory.
For a quick code fix be sure to read the full posting. Also, there is a patch provided via the site.
Hat tip to Ryan Naraine
(Image used under CC from Maze Walker)
