11,334 New Vulnerabilities in 2025: Patchstack’s WordPress Security Report Paints a Grim Picture

Patchstack has released its annual State of WordPress Security in 2026 whitepaper, and the numbers are sobering. The WordPress ecosystem saw 11,334 new vulnerabilities disclosed in 2025 — a 42% increase over 2024’s 7,966. High-severity vulnerabilities more than doubled (+113%), and nearly half of all reported flaws had no patch available when they were made public.

If you run a WordPress site, this report is required reading. Here are the key takeaways.

Attackers Are Faster Than Ever

The most alarming finding: once a vulnerability is publicly disclosed, attackers move fast. Patchstack’s data shows a weighted median time-to-first-exploit of just 5 hours. Breaking it down:

• 20% of heavily exploited vulnerabilities were attacked within 6 hours
• 45% within 24 hours
• 70% within 7 days

This means the old approach of updating plugins on the weekend is no longer viable. By the time you get around to it, your site may already be compromised.

Where the Vulnerabilities Live

The breakdown by component:

• 91% of vulnerabilities were found in plugins
• 9% in themes
• Just 6 in WordPress core (all low priority)

WordPress core remains remarkably secure. The risk lies almost entirely in the plugin ecosystem — and premium plugins are not exempt. Patchstack received 1,983 vulnerability reports for premium or freemium components (29% of all reports), with 76% of those being exploitable in real-world attacks. Premium plugins also had nearly 3x more zero-day vulnerabilities than free ones (33 vs. 12).

The Most Common Attack Vectors

Broken Access Control dominated the exploit landscape in 2025:

• Broken Access Control: 57% of exploited vulnerabilities
• Privilege Escalation: 20%
• Local File Inclusion: 10%
• SQL Injection: 5%

The top exploited plugins included LiteSpeed Cache (unauthenticated stored XSS), SureTriggers (authorization bypass), and GiveWP (PHP object injection leading to remote code execution).

Traditional Security Tools Are Failing

Perhaps the most controversial finding: Patchstack’s pentesting studies found that traditional defenses blocked only 12% of WordPress-specific attacks. Even in broader testing across vulnerability types, the block rate only reached 26%. Tools tested included internal WAFs, Cloudflare, Imunify360, and ModSecurity.

This doesn’t mean you should ditch your WAF — layered security still matters. But it does mean that relying solely on a firewall while running outdated plugins is a losing strategy.

Malware Is Getting Sneakier

The report also tracked malware trends throughout 2025. Key patterns:

• Holiday spike: Malicious uploads nearly tripled during November–December when staffing drops and traffic peaks
• Multi-stage attacks: Uploader scripts doubled in June, signaling a shift from one-off exploits to persistent access
• AI-aware evasion: The Parrot TDS malware family now detects AI crawlers to avoid detection
• File injection over deployment: Attackers increasingly inject code into legitimate files rather than dropping obvious malicious ones

What You Should Do

Based on Patchstack’s findings, here’s the minimum security hygiene for WordPress site owners in 2026:

1. Enable automatic updates for plugins and themes — the 5-hour exploit window makes manual updates too slow
2. Audit your plugins regularly — remove anything you’re not actively using
3. Don’t assume premium means secure — paid plugins had more zero-days than free ones
4. Layer your defenses — no single tool catches everything; combine a WAF with virtual patching and monitoring
5. Watch the holidays — schedule extra monitoring during high-traffic, low-staff periods

The full State of WordPress Security in 2026 whitepaper is available for free on Patchstack’s website.