Comment 14 for bug 848807

While the likelihood of finding this exploit accidentally is fairly
low, the payoff could be quite high, and thus might warrant some
non-casual effort. For instance, I know of at least one major intelligence
agency running Zope / Plone, which would be a really juicy target for
various classes of determined attackers, for whom studying the codebase
to look for such holes would be perfectly within reason.

Note that actual exploits can go undetected for a *long time* if their
effects are subtle enough. This bug has been in the wild for over a year
now.