Read the original report on Patchstack.
Key Figures
- In 2024, 7,966 new vulnerabilities were found in the WordPress ecosystem, primarily in third-party plugins. That’s a 34% increase over 2023. While the majority of vulnerabilities don’t pose an active risk, high priority vulnerabilities were also up 11% year on year.
- 96% of the vulnerabilities were uncovered in plugins, and 4% were found in themes. Only seven vulnerabilities were uncovered in WordPress core itself, but none of those were significant enough to pose a widespread threat.
- 43% of new vulnerabilities found in 2024 did not require any authentication to be exploited. While vulnerabilities with an unauthenticated prerequisite tend to be easier to exploit, it’s not always the case.
- Cross-Site Scripting (XSS) remains the most widespread vulnerability.
- 1,018 vulnerabilities were found last year in components with at least 100,000 installs – of these, 153 received a High or Medium Patchstack Priority score. This demonstrates that install count is not a good indicator of security.
- In 2024, 33% of vulnerabilities were not fixed in time for public disclosure. Many of the vulnerabilities were disclosed in abandoned plugins and will likely never receive a patch. Most of them still have active installations; these insecure plugins remain installed and active across the web.
- It’s widely known that popular security plugins used for malware scanning are disabled, bypassed and even completely removed by malware. In 2023, the security company WeWatchYourWebsite identified 58,848 malware-infected WordPress websites that had Wordfence installed prior to infection and in 14% of the cases malware tampered with the Wordfence files to stay hidden.
About Patchstack
Patchstack is a well-known WordPress vulnerability intelligence provider. They help hosting companies and website developers find and mitigate vulnerabilities in WordPress core, themes and plugins.
Patchstack is backed by hundreds of ethical hackers through a global community called Patchstack Alliance. They actively search for new security vulnerabilities and potential threats so that Patchstack can notify its users and partners.
In 2024, Patchstack was responsible for coordinating the disclosure of 52% of all new vulnerabilities, followed by Wordfence (39.39%), WPScan (7.46%), and others (0.85%).