A highly critical flaw in Yet Another Photoblog plugin for WordPress is due to a bundled version of phpThumb(). Input passed via „filtr“ parameter to phpThumb is not properly sanitized before being used. It allows attacker to inject and execute arbitrary shell commands.
The vulnerability was discovered in version 1.9.26 of Yet Another Photoblog.
Users should upgrade to version 1.10.

Source: Secunia
23.11.2011