Is it possible to find a buffer overflow in WordPress?
As PHP does memory management and a lot of stuff by itself, finding a buffer overflow specifically in WordPress doesn't really make sense to me.
Before discrediting that Penetration Tester, I'd ask him/her for documentation of the finding in question. As he/she works for said client (sounds like it, correct me if I'm wrong), it's his/her job to report such an issue to the client, including a documentation of at least a way to track down/reproduce the issue.
I'm very sceptical, as you say, that he/she only had access to the webservice from the outside. Verifying a low-level issue like a buffer overflow (which is even way beyond the webservice or wordpress in general) is next to impossible from the outside.
Executing one is tricky, even if you have access to the source code, which doesn't seem to be the case (assuming it's not a whitebox test).
P.S.: If you get an answer from the client/pentester, I'd love to hear it. You got me pretty curious for some reason...
It could be that he found a buffer overflow in PHP or glibc which can be exploited via Wordpress. For example, 3 years ago there was a hole in gethostbyname() which could be exploited via Wordpress. It is called the GHOST vulnerability.
If you have a very old OS without updates as well as a very old Wordpress that could be true.
As GxTruth mentioned, PHP does memory management. This means anything running on php is basically as secure against buffer overflows as php is (unless you're doing something really crazy).
But php isn't 100% safe from buffer overflows: https://stackoverflow.com/questions/11817576/is-php-buffer-overflow-possible
If this pentester has actually found a buffer overflow, they should be able to tell you exactly how to reproduce it. At that point you should be able to trace that into the code. It may be this is caused by a previously patched version of WP/PHP. Always make sure you are up to date on the latest patches across your whole tech stack.
If it turns this is a bug in the most recent versions, then collect the relevant information and file the appropriate bug reports. You can notify the people who develop php here: http://bugs.php.net/. Make sure to mark your bug as security
related. It would also be relevant to read this first: https://wiki.php.net/security. Also, report this to WordPress or any developers of third-party plugins/themes that are affected so they can take steps to mitigate the issue while PHP itself is patched.
And if this is a problem, as curious as we may be to hear what it is, do not report on this publicly until the maintainers of the affected code have a chance to fix it as this will affect many sites across the web and not just yours.