It appears that "Security vulnerabilities have been found in WordPress, the popular PHP-based open source blogging application. Some scripts in WordPress are not properly validated, leaving the program open to cross-site scripting (XSS) attacks in which third parties could insert content into a WordPress-driven site.". [via "PHPDeveloper":http://www.phpdeveloper.org/index/2485]
WordPress is a mutated version of cafelog, which is now defunct. And cafelog had some of "the most poorly written code I've ever seen":http://revjim.net/item/3955/. So, the fact that these vulnerabilities have been found in WordPress, doesn't really surprise me. As "I've stated before":http://revjim.net/item/9467/, the codebase really is atrocious.
Yes, features are important. And usability is important. But with terrible code behind all those good features and excellent usability, everything becomes slower, dirtier, and more complicated. Dirty and complicated almost never equate to a secure application. I mean, With so many people working on a single project, it's difficult to be certain that user supplied data is being treated properly, authentication is being performed in all the needed places, and that the application is wholly secure.
If you're a WordPress user, be on the look-out for an update in the near future, and be sure to upgrade as soon as it's released. Hopefully, the developers understand this terrible code enough to be able to locate the source of the problems quickly and come up with a good, well-thought solution.
