Here's the source of all this:
You can try to read between the lines all day with speculation. For example, XSS is the process of inserting code to run as trusted in web pages and the demo EXE may simply represent that code that could come from a webpage but run locally. But public demos giving away much detail wouldn't be in their best interest, too.
DefenseCode does say they tested WRT54GL 4.30.14 which is earlier than the 4.30.16 which is dated the same day as the DefenseCode announcement. Kinda strange.
Conclusion: No way to know. Just speculate. We have 2 days before they say they will disclose. At that time we'll learn much more.