EmDash, a new open-source CMS, launches as a spiritual successor to WordPress, aiming to solve the platform's critical plugin security flaws. Built entirely in TypeScript and serverless, EmDash isolates plugins in Dynamic Workers, granting them only explicit capabilities declared in their manifest. This approach eliminates the direct database and filesystem access that plagues WordPress plugins, where 96% of security issues originate. The MIT-licensed EmDash offers compatibility with WordPress functionality while avoiding its GPL constraints, potentially breaking marketplace lock-in where manual reviews and license restrictions stifle plugin development. EmDash v0.1.0 is available for deployment on Cloudflare or any Node.js server today.

WordPress's plugin architecture, fundamentally insecure after 24 years, forces manual marketplace reviews due to widespread vulnerabilities. EmDash's capability-based security model allows administrators to define strict installation rules based on requested permissions, moving beyond reputation-based trust. Plugins can now use any license, independent of EmDash, and run in isolated sandboxes without exposing their code. This separation addresses the core problem: WordPress plugins must be GPL-licensed, locking developers into the marketplace ecosystem.

EmDash represents a significant shift for content publishing, targeting the same broad audience WordPress served while fixing its most persistent security weaknesses. By providing a secure, modern alternative with modern tooling, EmDash aims to empower developers and platforms without the legacy constraints of the original CMS. The project's early beta invites immediate experimentation, signaling a potential new standard for secure, extensible content management systems.