Recently discovered vulnerability, again, is related to the hosting servers, which have register_globals setting turned ON in php.ini. Despite I agree it's our fault this error appeared in the latest release, most importantly it means you have a very insecure hosting, when having turned this on.
Read more info on PHP site:http://php.net/manual/en/security.registerglobals.php
Issue to solve is top paste at the very top of each of these files:
the following line:
if (!defined('INCLUDED776')) die ('Fatal error.');
these files are updated in the freshly issued updated package.
Everybody still is recommended to do this short upgrade.