Last year, security researchers uncovered 7,966 new vulnerabilities impacting the WordPress ecosystem, most of them affecting plugins and themes, WordPress security firm Patchstack notes in a fresh report.
Only seven of the WordPress bugs that came to light last year affected the WordPress core. Most of the flaws were found in plugins (7,633 defects, representing 96% of the total), and a small percentage in themes (326, or 4%).
According to Patchstack, despite their large number, most of the vulnerabilities did not pose an active threat: 69.6% were considered unlikely to be exploited, 18.8% could be exploited in targeted attacks, and only 11.6% were exploited or expected to be.
The CVSS score assigned to these vulnerabilities tell a similar story: more than two-thirds were rated low or medium severity, and only one-third were rated high or critical severity.
However, Patchstack also notes that 43% of the WordPress security defects uncovered in 2024 could be exploited without authentication, although some of them required interaction from an authenticated user.
Roughly 43% of other vulnerabilities required the attacker to have low privileges, such as contributor or subscriber, and 12% required privileges such as administrator, author, or editor.
Nearly half of the WordPress flaws documented last year were cross-site scripting issues (47.7%), with broken access control (14.19%) and cross-site request forgery (11.35%) rounding up the top three.
A total of 1,018 issues were found in plugins with more than 100,000 installations, including 115 in plugins with more than 1 million installations. Seven of them affect plugins with over 10 million installations.
Patchstack also points out that developers of WordPress plugins need to act faster on improving security for their users. Last year, 33% of the uncovered bugs were not patched before public disclosure.
“Many of the vulnerabilities were disclosed in abandoned plugins and will likely never receive a patch. Most of them still have active installations; these insecure plugins remain installed and active across the web,” the company notes.
Related: Hunk Companion, WP Query Console Vulnerabilities Chained to Hack WordPress Sites
Related: Critical Plugin Flaw Exposed 4 Million WordPress Websites to Takeover
Related: LiteSpeed Cache Plugin Vulnerability Exposes Millions of WordPress Sites to Attacks
Related: Exploitation Expected for Flaw in Caching Plugin Installed on 5M WordPress Sites