

Wordpress is an unauthenticated remote shell that also contains a blog - rbanffy
http://www.bash.org/?949214

======
vizzah
I was just yesterday considering how secure Wordpress is and whether to run it
as a blog separately from the main website (in a chroot/vm or on a totally
different hardware).

It is known that most recent vulnerabilities were in third-party plug-ins and
Wordpress has become much more secure than in it's early days. However, I am
still hesitated to run one piece of open-sourced software which can work out
as most likely the only remotely exploitable way to get in. Apache2 is the
second one, but I can't recall it having remotely exploitable bugs in the last
decade with it's default configuration.

------
diegoperini
Can someone elaborate, please?

~~~
mmosta
QDB is a database of IRC quotes.

This undated entry alludes to both severity and volume of vulnerabilities in
Wordpress Core, likely prior to the drive for security in ~2009.

Still humorous today despite the best efforts of the WP team because the
exploit front-line is continually extended by poorly written plugins.

