>> Whereas the front end provided authentication should be piped through to the backend to establish a data access session in the context on the front-end user that wants to look up data.
It is fairly normal to have a single user account used by a web application to CRUD data from a database, with roles enforced within the web application.
The problem here seems to be that the permissions for that database user weren't tightly scoped to the database/schema supporting the Wordpress instance, it was presumably a root account with access to EVERYTHING on the db server.
This is rather sloppy.
Unless they were using Wordpress to store personal data on CW customers, which would be an "interesting" approach.