Critical WordPress vulnerability discovered in November 2014
Following the recent Drupal SQL injection vulnerability the Finnish security company Klikki.fi is reporting that the system has a similar vulnerability - equally, if not worse than the Drupal vulnerability.
According to the company the exploit is done using the commenting function, which is enabled by default. The versions affected are all 3.x and 4.0 versions of WordPress.
Klikki has supposedly talked to WordPress maintainers about the issue in September 2014, but a fix has been harder than expected to produce.
The recent Drupal exploit and possibly a similar security issue in WordPress could be a serious blow to the credibility of Open Source products - imagine Android being hit by a massive worm.
Even if this report is false (a marketing stunt?), it should be a stark reminder that security and maintenance are still worth paying for when building your business on "free" products.
Original WordPress vulnerability bulletin here (in Finnish): http://klikki.fi/adv/wordpress_ennakko-fi.html
UPDATE: This was indeed real and WordPress 4.0.1 is out. Read the bulletin from Klikki.