I thought I was done with this, but it seems that WordPress v2.3.3 did not fix the injection spam loophole; I was just hit by another injection spam attack on my previous post (now cleaned up). I’ve closed user registration on the blog for now, though of course you needn’t register to comment thanks to the captcha plugins I have installed. I suggest that all WP bloggers do the same and keep an eye out for injection spam by monitoring your RSS feed.