![](/static/66c60d9f/assets/icons/icon-96x96.png)
![](https://fry.gs/pictrs/image/c6832070-8625-4688-b9e5-5d519541e092.png)
That’s the ecosystem. WordPress itself is pretty basic, these things attack plugins, and their often not-very-experienced creators and users. The thing with WordPress is that this kind of vulnerability comes with the problem space, not the particular solution. If there was a different product in the same space, it would not fare better by default.
Also, I’d bet that a ton of CVEs are filed for C++ libraries, yet nobody is harping on about how insecure C++ is.
The case is basically that having a non-tracking paid tier makes no difference, the free tier if it exists can’t include mandatory tracking.
So they can offer a paid tier with no tracking, but they must also offer no tracking on the free tier.