This is a plugin vulnerability, not core wordpress.
So I think the headline could reflect this.
A remote execution vulnerability has been discovered in Wordpress backup utility BackWPup. According to Sydney (Australia) company Sense of Security, which published the advisory along with a proof-of-concept, the vulnerability allows local or remote PHP files to be passed to a component of the utility. “The input passed to …
The headline makes out that this is a WordPress problem. It's not, it's a problem affecting a single plugin [One of the many WordPress "backup" plugins] which is installed on a small number of WordPress installs (Going by the stats on wordpress.org).
In other news, the number 73 to Camberwick Green ran 5 minutes late this morning ... yawn
"The input passed to the component wp_xml_export.php via the ‘wpabs’ variable allows the inclusion and execution of local or remote PHP files as long as a ‘_nonce’ value is known. The ‘_nonce’ value relies on a static constant which is not defined in the script meaning that it defaults to the value ‘822728c8d9’."
To my fellow readers: There isn't anything funny here, is there? Because you're a grownup, aren't you? Good.
I recall when the "nonce" was proposed on the WP development mailing list[1], that somebody or other did post a link to urban dictionary as a hint that this might not be the best word to use, but it didn't catch anyone important's attention...
I suspect that devs who speak UKEnglish kept quiet for amusement purposes. Much the same way that apparently nobody told George Lucas that "Yarael Poof[2]" wasn't an altogether ideal name for a member of the Jedi Council...
[1] Called WP-Hackers[2], presumably so people can laugh at the occasional persion joining to offer credit card numbers, or ask for help getting into someone else's email account...
[2] Name seen in credits, character only in the background.
[2] Yes, *we* all know that hackers doesn't mean that, but since lots of other people don't, it's a losing battle...