WordPress Flaw
This flaw should never have crept into the code base; it’s an elementary SQL injection attack. And once in the code base, it should have been caught by review. But it didn’t get caught, and the WordPress team sat on the fix for nearly a month before advising people to upgrade; during just over two of those weeks an exploit was widely disseminated.