I did discover the access point... Apparently WordPress and ZenPhoto both use TinyMCE as an editor... and there was an insecure ajax file manager plugin released with TinyMCE which allowed the hackers to gain access to the file directory.
Of course, once they can upload one file, they can get into the server and do anything.
As it stands, I have confirmed (to the best of my ability) that the database itself was unaffected - it only targeted files. There is a chance that the javascript code which they inserted tracked people's passwords when they were entered... so, if you use the same password here as elsewhere, you probably want to change it. The main thing they did, though, seems to be a plan to use this server as yet another zombie....
Obviously, the server/site is listed in some hacker database now as well, since the server logs still show idiots trying to access the same spot (despite the fact that I completely deleted ZenPhoto, so the directory they are trying to hit no longer even exists)
Of course, each time they do attempt it, it gives me another IP address to report and ban from the server.