It looks like a research group found a security vulnerability that they then used to find a single common key in all of the cards made by this company. The second part here is a reasonable concern, but the article calls the vulnerability a backdoor in the beginning, which I think is fairly misleading.
The software is free, but it looks like the trademark is not. So WordPress bans WP engine from some WordPress stuff b/c they aren’t technically WordPress. In other words, they’re free to use (and change) the software, but they can’t (or, rather, shouldn’t) use the name—according to WordPress. WP sues for usage anyway after they are barred from some event or something, but now WordPress is suing back, turning an unofficial dispute to a legal one.