I have a site that was compromised though MageMe's Web Forms. They were able to upload 2 scripts, 1 that allowed them admin access and could setup their own paypal account to receive payments. (Obviously, Paypal simply does not care... I spent an hour on the phone with them to try to explain that this person was a thief and hacked and they would not even block their account). The emails they used for paypal were email@example.com and firstname.lastname@example.org.
They were also able to upload a script called magentostealer.php5 which allowed them access to all user data. Thankfully this site did not store credit cards.
Anyone wishing to investigate this further, I will send you the scripts.
This seems to be well above the level of old automated SQL injection scripts.
Did you find out how they where able to upload the file?