The bug appears in WordPress instances prior to version 4.9.9 and was exploitable for as long as six years, the RIPS Technologies researchers said.