[creullin]

Eh, it wasn't WordPress per se, but a plugin. This plugin's vulnerability was also posted YEARS ago. So I wouldn't blame WP (in this case).

As a dev, I've come across plenty of out of date CMS/ modules/ plugins that had huge security holes in them. It's part of the 'build and forget' mentality that seems to be widespread these days.

[technion]

As much as I'll be the first to say "update your damned plugins" to every Wordpress dev, there's more to it than that.

Revslider is a "premium" plugin, which means you buy the plugin, and then, optionally, ongoing support, which includes updates.

You can logon to Wordpress and there's a big "click here to update all your plugins" button. And you press it, and it will say "you are fully updated now!" or something to that effect.

To update revslider, you're supposed to use your support agreement to logon to the distributor's website, and go download and install an update separately. I've seen dozens of revslider deployments and I've never yet had a developer believe there was anything more to it than pressing the "automatic update" button, which basically lies to you in the case of premium plugins.

I'm perfectly happy blaming Wordpress - because it needs a mechanism of saying "nope, this plugin requires a support agreement. It is however, vulnerable".