WordPress is a great application that you can use to create beautiful websites or blogs. The core software is built by loads of community volunteers, and there are thousands of plugins and themes available to transform your site into almost anything you can imagine.
WordPress is not only free, but is a state-of-the-art semantic personal publishing platform with a strong focus on aesthetics, web standards, and usability.
WordPress was initially developed as a blogging platform, but over the last few years, it has changed into a full-fledged popular content management system (CMS), which is capable of hosting static and dynamic content, e-commerce, event calendars, and audio and video podcasts. This is largely due to the expansive plugin system and the massive support community. It also comes with a great set of features that are designed to make your experience as a web content publisher as easy, pleasant and enjoyable as possible. To get started with WordPress, set it up on a web host for the most flexibility or get a free account from WordPress themselves.
Overall, WordPress has a rich content editor and plugin discoverability. The learning curve is a bit steep for novice users, but WordPress has a good user interface and a massive community to rush to when you get stuck, and are unsure what to do.
Karim El Ouerghemmi discovered that authors could alter meta data to delete files that they weren’t authorized to.
Simon Scannell of RIPS Technologies discovered that authors could create posts of unauthorized post types with specially crafted input.
Sam Thomas discovered that contributors could craft meta data in a way that resulted in PHP object injection.
Tim Coen discovered that contributors could edit new comments from higher-privileged users, potentially leading to a cross-site scripting vulnerability.
Tim Coen also discovered that specially crafted URL inputs could lead to a cross-site scripting vulnerability in some circumstances. WordPress itself was not affected, but plugins could be in some situations.
Team Yoast discovered that the user activation screen could be indexed by search engines in some uncommon configurations, leading to exposure of email addresses, and in some rare cases, default generated passwords.
Tim Coen and Slavco discovered that authors on Apache-hosted sites could upload specifically crafted files that bypass MIME verification, leading to a cross-site scripting vulnerability.
Thank you to all of the reporters for privately disclosing the vulnerabilities, which gave us time to fix them before WordPress sites could be attacked.