I kinda agree with the WP people that this is not really an exploit. If you call a script that does a few seconds of processing, and keep calling it, yes it will take down the server...
That said it can definitely be mitigated by checking for this kind of request explicitly and not letting the same IP keep requesting the URL (plus caching, etc.) Maybe it's an argument for WP to integrate some of the features of 'firewall' plugins.
The thing is, in WordPress, it's not uncommon to end up with a public URL that takes a few seconds to generate if it uses a few plugins or multiple queries on a low-end server. This is really just demonstrating that apache/nginx fall over at some point (usually what goes away first is the MySQL connection).
i think the issue is that since the script sits under wp-admin it is outside of something that administrators can use caching techniques against. Also, if it is under wp-admin, it should require a logon to access.
That said it can definitely be mitigated by checking for this kind of request explicitly and not letting the same IP keep requesting the URL (plus caching, etc.) Maybe it's an argument for WP to integrate some of the features of 'firewall' plugins.