2025 mid-year WordPress vulnerability report

WordPress security whitepaper

Introduction

There’s good news and there’s bad news.

The good news is that the WordPress security research community is uncovering more and more vulnerabilities in the ecosystem. Every vulnerability disclosure creates a critical window where users can secure their sites before attackers weaponize the flaw.

The bad news is that there is a lot of them, and with the EU’s Cyber Resilience Act fast approaching, ecosystem players have a lot of work to do to make WordPress a more secure platform.

6,700 new vulnerabilities were identified in the WordPress ecosystem in just six months. But what’s even more concerning is 41% of them are exploitable in real-life attacks.

About Patchstack

In April, Patchstack became the largest vulnerability discloser globally of all time, surpassing Microsoft. 

This is the result of hard work by our Bug Bounty community, but also our internal research team. In the first half of the year, 3,431 valid reports were submitted by 125 researchers via our Bug Bounty program.

Plugin developers also have a huge role to play in making the ecosystem more secure. With CRA, they will have a legal responsibility to do so, lest they face penalties similar to GDPR violations.

We’re excited to say, though, that more than 800 plugin developers have already joined our free mVDP program, speeding up their capability to respond to security bugs, and taking a big step toward becoming CRA-compliant.

To get the full picture of what’s happened in the WordPress security space in the first half of this year, dive into the statistics below.

“In the first month, Patchstack has blocked 631.5k+ threats across sites using WP Umbrella. We also converted 4.5% of sites to our Patchstack-powered add-on, creating an additional revenue stream.”

Aurelio Volle

Founder of WP Umbrella

Key Insights

CVSS vs Patch Priority

CVSS often assigns too high severity for low impact WordPress vulnerabilities

Compare by

WordPress vulnerabilities in the first half of the year skew toward the middle of the severity spectrum according to CVSS (Common Vulnerability Scoring System). 

Only 8% score Critical on CVSS 9-10, while 14% land in the High CVSS 8 range. The largest block, 31% sits at CVSS 7-7.9, with the remainder spread through Medium (4-6.9) and a tiny low tail below 4.

Patchstack’s own priority scoring tells a slightly different story: 23% of vulnerabilities demand “High” priority remediation (real-time protection with targeted security rules), 18% are “Medium,” and 58% are “Low.” 

In other words, Patchstack flags nearly three times more items as urgent (based on real-world experiences and likelihood of exploitation) than a strict “CVSS 9+” cut-off would capture.

The difference between official CVSS scoring and Patchstack Priority

As a general system, the CVSS score doesn’t account for the specifics of the WordPress ecosystem. Patchstack’s Priority Score upgrades severity when a flaw is easy to exploit in the wild, affects a widely used plugin, or is already under attack. That is why the “High priority” bucket is larger than the raw critical-CVSS slice, providing real-world context that users and companies can act on.

More high-severity vulnerabilities are being found in 2025

In the first half of 2025, only 22% of vulnerabilities received a high or critical CVSS score. However, looking at the Patchstack Priority Score, we see that 41.5% of vulnerabilities have been classified as exploitable in real life.

This also suggests a trend that not only are more vulnerabilities being found this year, but that there are more serious ones. For context, last year, 30.4% of vulnerabilities were considered exploitable based on the Patchstack Priority score.

What does this mean?

For hosting companies, these high-priority issues must be mitigated immediately, as plugin updates often lag, increasing the time a site is exposed to a potential attack against the vulnerability.

Top 5 vulnerability types

Cross-Site Scripting (XSS) was the most common vulnerability type

Summary

Cross-Site Scripting (XSS) dominated the first half of the year with 34.7%, almost double the next category. Close behind, Cross-Site Request Forgery (CSRF) logged 19%, while Local File Inclusion (LFI) contributed 12.6%Broken Access Control added 10.9%, and SQL Injection (SQLi) appeared 7.2%.

What stands out is how heavily these issues lean on insecure handling of user-supplied input: XSS, CSRF, and LFI together account for well over half of all cases and generally require no authentication, mirroring the dataset’s wider finding that 57% of vulnerabilities are exploitable by any site visitor. 

The prevalence of Broken Access Control shows that mis-mapping WordPress roles and capabilities remains a common pitfall. At the same time, the persistence of SQLi, even at a single-digit share, confirms that raw queries and library misuse haven’t disappeared.

Taken together, the top five categories represent roughly 85% of the entire threat surface.

What does this mean?

If you’re a WordPress user or a hosting company with a significant share of WordPress users, the prevalence of XSS vulnerabilities means that:

  • Users using vulnerable WordPress plugins are at risk of data theft, account hijacking, or session hijacking.
  • Attackers may leverage compromised websites to spread malware, impacting the hosting company’s overall security reputation.

Running a hosting company? Protect your users, improve server health and earn additional revenue - book a discovery call.

From a high-level perspective, this means that your hosting company, even though it’s not responsible for the components users install on their sites, could also become exposed to risk. When multiple sites hosted on a shared environment are exploited due to XSS vulnerabilities, the server’s IP address could be blacklisted by search engines and email providers.

Additionally, even though it’s the users’ responsibility, you will see a surge in support volume due to compromised sites. Depending on your offering and how far you’re willing to go to help your users, your security teams might get more tasks to clean up hacked sites or restore backups.

Finally, users will associate the security issues with their hosting provider, even if the root cause is plugin-related. It’s why we’re increasingly seeing hosting companies take preventive action to secure their users.

Top 5 vulnerability prerequisites

Almost 60% of vulnerabilities can be exploited by a complete outsider

Nearly three in five vulnerabilities (57.6%) can be automatically exploited by a complete outsider without needing to hack credentials or gain access beforehand. 

A further 20.6% (707 cases) require only a low-privilege Contributor login, while Subscriber-level issues account for an additional 11.5% (396).

What does this mean?

Attackers face minimal barriers: most security bugs can be exploited using fully automated, large scale attacks without requiring any prior access to vulnerable websites.

Worth noting:

  • Over half of all vulnerabilities require no authentication at all, and most of these fall into categories like XSS and CSRF. These often stem from poor input validation.
  • Additionally, many lower-privilege bugs (e.g. Contributor/Subscriber) are found in visual content builders or forms that lack proper capability checks.
  • Because admin-only issues are uncommon, “least privilege” policies are helpful, but real risk reduction still hinges on fast vulnerability mitigation capabilities.

Since plugin management relies on third parties (users, plugin developers), the best way for hosting companies to protect themselves from reputational risk is to collaborate with real-time vulnerability scanning and mitigation tools. Proactivity is now essential, not optional.

Running a hosting company? Protect your users, improve server health and earn additional revenue - book a discovery call.

Vulnerabilities by components 

In this half-year, Patchstack’s security researchers and bug bounty hunters reported 2,816 components as vulnerable. 

Out of those affected components, the overall number of affected active installs (sum of active installs per report) was 5,6058,527. The average active install count per affected component was 16,338, meaning that, on average, 16,338 users were affected by each vulnerability.

15% of components had two or more vulnerabilities

Most vulnerabilities were discovered in WordPress plugins (3,044), followed by themes (386), while only a single vulnerability was identified in the WordPress core.

Plugins were responsible for 89% of all vulnerabilities

Trend: WordPress theme security is under more scrutiny in 2025

In 2024, Patchstack’s researchers and bug bounty hunters found 4,166 new security vulnerabilities in plugins, themes, or WordPress Core. Patchstack’s research made up 52% of the total of 7,966 vulnerabilities found and registered by CVE. 

96% of those vulnerabilities were found in plugins and 4% in themes. There were only 7 vulnerabilities in Core, but none so dangerous as to pose a risk. 

Compared to our data for the first half of 2025, Patchstack’s researchers and bug bounty hunters found more vulnerabilities in themes than they did in 2024. This correlates to a growing number of premium theme developers joining Patchstack’s mVDP program. 

Although plugins have been responsible for the vast majority of vulnerabilities in recent years, themes shouldn’t be disregarded. They’re generally less investigated than plugins, as they are premium (no free plans) and their code isn’t as readily available to researchers.

What does this mean?

Since WordPress Core is an open-source project that’s being actively worked on by thousands of contributors, it’s normal for its code to be more reviewed and less prone to vulnerabilities. However, plugins and themes are developed by independent developers, so the code review processes aren’t as standardized. 

We expect the situation to improve as the Cyber Resilience Act takes effect in 2026, as outlined in our 2025 State of WordPress Security Report. Additionally, we are actively helping plugin developers monitor their plugins for vulnerabilities through the Patchstack Managed Vulnerability Disclosure Program.

However, one simple truth still stands: you and your users aren’t relying only on your shared security practices. Plugin developers are a critical part of your functioning, and you don’t have in-depth insight into their security practices.

Proactivity and mitigation on your part are still the best safeguards.

CVE publishing: who reports the most vulnerabilities?

Patchstack disclosed almost 67% of all new vulnerabilities in the first half of 2025

In 2025, Patchstack’s efforts to build and maintain a thriving security research community are continuing to deliver results. 

We reported 4,462 vulnerabilities to the official vulnerability naming and categorization source, making up 66.60% of all named vulnerabilities in the first half of 2025.

In terms of all-time vulnerability processors (CNAs), Patchstack has become the biggest discloser of vulnerabilities of all time, surpassing Wordfence, WPScan, and even Microsoft & Github.

Trends: comparison with 2024

Patchstack disclosed over 52% of all new vulnerabilities in 2024

In 2024, Patchstack disclosed 52% of all new vulnerabilities, meaning that our efforts to improve security research have been successful. Currently, in 2025, we have reported 66.60% of all named vulnerabilities.

What does this mean?

This means that, as a cybersecurity ecosystem, we are moving in the right direction. As more companies identify vulnerabilities and sponsor researchers who discover them, we are all working towards a shared goal: securing the open-source ecosystem.

Best strategies for strengthening WordPress security in 2025

Vulnerabilities are a fact of life, and this year’s half-year report shows it. 

However, every participant in the open-source space can do something to help mitigate the risks, particularly as we see more attackers employing more sophisticated (and, often, AI-driven) tactics. 

Proactivity is no longer something extra; it’s essential.

For hosts: what can hosting companies do in the second half of 2025 to strengthen security?

Security isn’t just a feature: it’s a foundational part of your customers’ trust in your platform. 

Hosting companies that take a proactive stance on vulnerability management are not only reducing incidents but also positioning themselves as premium, reliable providers.

Running a hosting company? Protect your users, improve server health and earn additional revenue - book a discovery call.

In the second half of 2025, consider how you can best:

  • Embed (or start monitoring) vulnerability intelligence into your platform to identify and mitigate risks before they’re exploited.
  • Automate vulnerability mitigation to neutralize threats instantly, even before updates are available to your users (and they’ve had a chance to apply them).
  • Educate customers about security, so they understand the real risks of letting plugins go without security updates.

Partner with security experts who are the first to know about vulnerabilities and, as such, the first who can protect your users against them, to reduce your support workload and give you a new revenue stream (with time-to-ROI often as little as 4 weeks and margins up to +100%).

“Over the last 6 months, Patchstack has protected our users from 1.3 million vulnerabilities.”

Wes Tatters

Managing Director

For component developers

Developing a component isn’t easy, but don’t let security fall to the wayside. 

With the Cyber Resilience Act approaching quickly, and being dubbed “The GDPR moment for plugin developers”, start mapping out your supply chain risks and consider a Managed Vulnerability Disclosure Program to work effectively with researchers.

You can get started with a free program at Patchstack and reinforce your compliance, as well as the security standards of your development practices.

For WordPress development agencies and users

It’s time to shift the conversation from backups to security being included in your maintenance plans. 

As a WordPress development or maintenance agency, the last thing you want is to be called at 2 am because a vulnerability exploit has led to your client’s site being down or, worse, full of pharma spam.

Patchstack’s security is now available through popular WordPress management platforms like WP Umbrella and WP Squared. Additionally, we offer highly competitive plans for real-time protection, starting at $79/month for 25 sites.

🤝 Help us make the Internet a safer place

Web developers

Mitigate vulnerabilities in real-time without changing code.

See pricing
Plugin developers

Identify vulnerabilities in your plugins and get recommendations for fixes.

Request audit
Hosting companies

Protect your users, improve server health and earn additional revenue.

Patchstack for hosts
Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.
crossmenu