Ben at Spare Clock Cycles did a cool project in which he swept the WordPress plugin repositories for vulnerable code, finding dozens of exploitable plugins.  I can attest to this bit, specifically regarding vulnerable versions of the TimThumb script:

Finally, I searched for Uploadify usage and outdated timthumb.php libraries. This turned up another 24 vulnerable plugins […]

I’m pretty confident that he’s not the first one to do this, based on my experience with clients’ hacked WordPress sites.  The vulnerable script was present in all kinds of plugins and themes, some widely used and some hardly at all.

His conclusion is a harsh truth for website owners:

As for what site admins can do, it’s pretty clear: don’t install plugins or themes unless you *absolutely* need to or you are willing to and have the expertise to audit what you’re installing.

We can’t expect very many people to do that, but it’s advice worth taking for people who have a lot of money riding on WordPress-based sites.