A remote code execution vulnerability for the .Org WordPress fork has been reported (archived). At the core of this issue is Auttomattic's refusal to have their software do any sort of checking when comments are involved, a flaw which has left the bulk of WordPress blogs open to being used as DDoS participants. Because why would they fix structural problems? Why fix the grave structural problems making the software a public nuissance, when they can wait and patch particular problems only as they are exploited?