[punjabisingh]

The bugs are coming from everywhere.

In my view, the worst ones are the ones coming from core. They've come from old code (i.e. the comments XSS due to overly large comments) or from including other libraries (i.e. genericons vulnerability).

I think this sort of stuff is bound to happen since WordPress is slowly becoming the kitchen sink trying to keep up with all demands of the users.

The good part is:

* They are increasing their unit tests coverage.

* With auto-updates, the huge amount of sites that use WordPress are not left in the dark. So I consider it a feature even if it comes at a price. When the software is being used at the scale that WordPress is, it is a needed feature.