As an open source project WordPress gives everybody easy access to its source code and also to the code of most free plugins and free themes.
The latest security breach which made the news was that of the so called “Panama Papers” and it looks like an outdated version of popular WordPress plugin was the culprit in this particular case.
From the Wordfence Security Blog:
The Mossack Fonseca (MF) data breach, aka Panama Papers, is the largest data breach to journalists in history and includes over 4.8 million emails. Yesterday we broke the story that MF was running WordPress with a vulnerable version of Revolution Slider and the WordPress server was on the same network as their email servers when the breach occurred.
Today we will release new information describing how the attackers may have breached the MF email servers via WordPress and Revolution Slider. We will also summarize below how they probably gained access to client documents via Drupal. We are breaking the story today about the link between WordPress and MF’s email server. The Drupal story has already been covered earlier this week in the media by Forbes (see below), but we are providing some data to support it.
You can also read more about this here: https://www.icij.org/investigations/panama-papers/