In isolation, sure things get overlooked. But such a core library for so long? (Well, kind of core; PEAR has a forked version which I presume was fixed earlier -- but why didn't that fix get pushed back to PHPXMLRPC?) I accept that one person might use it unwittingly, but the projects Stephen lists are large projects and they really should be paying more attention. Also, if this were the first bug like this, then it would be understandable. But the PHP community should have already learned its lesson on things like this.
I guess I'm spreading fault liberally. It's not like anyone is getting punished for this; assigning blame is purely for kicks. I don't think the original developer deserves all the blame; they did the work and tried. It was sloppy work, but supposedly one of the benefits of releasing your code is that other people will look at it. It took too long for that to happen in this case.