{"id":218,"slug":"patchstack-2024-vuln-disclosure-4166-96pct-plugins","title":"Patchstack 2024: 4,166 new vulnerabilities, 96% in plugins, 4% in themes, only 7 in core","kind":"reference","scope":"business","status":"current","audiences":["claude-code","candid-team"],"topics":["wordpress","security-vulnerabilities"],"reference_body":"**Claim (Patchstack 2025 mid-year report):**\n\n> \"In 2024, Patchstack's researchers and bug bounty hunters found **4,166 new security vulnerabilities**, with **96% of those vulnerabilities… in plugins** and 4% in themes, and **only 7 vulnerabilities in Core**.\"\n\nPatchstack mid-2025 update: \"In the first half of 2025, only 22% of vulnerabilities received a high or critical CVSS score… **41.5%** of vulnerabilities have been classified as exploitable in real life.\"\n\n**Source:** <https://patchstack.com/whitepaper/state-of-wordpress-security-in-2025/>; <https://patchstack.com/whitepaper/2025-mid-year-vulnerability-report/>\n\n**Confidence:** Verified.\n\n**The architectural lesson:** WordPress itself is not the vulnerability surface — plugins are. Per [[patchstack-91pct-vulns-in-plugins-2026]] the 2026 ratio is even more skewed at 91%. The single most effective security action for a WP site is **reducing the plugin count** (see [[rule-reduce-plugin-count-as-security-discipline]]).","rationale_body":null,"metadata":null,"links":{"outgoing":[{"slug":"patchstack-91pct-vulns-in-plugins-2026","title":"Patchstack 2026: 91% of new WordPress vulnerabilities are in plugins; only 6 CVEs in core","kind":"reference","scope":"business","link_type":"relates-to"}],"incoming":[{"slug":"patchstack-1614-plugins-removed-2024","title":"Patchstack 2024: 1,614 plugins and themes removed from .org repo for unpatched security issues","kind":"reference","scope":"business","link_type":"relates-to"},{"slug":"wordfence-2024-attack-volume-54b-requests","title":"Wordfence 2024: 54 billion malicious requests blocked, ~325-350k sites infected on any given day","kind":"reference","scope":"business","link_type":"relates-to"},{"slug":"decay-vs-compound-matrix","title":"Reference framework: which website dimensions decay vs compound over 10 years (12-dimension matrix)","kind":"reference","scope":"business","link_type":"depends-on"},{"slug":"rule-reduce-plugin-count-as-security-discipline","title":"RULE: Plugin count is the WordPress security surface. Audit quarterly; one-in, one-out rule.","kind":"rule","scope":"business","link_type":"depends-on"},{"slug":"research-brief-built-to-last","title":"Research brief: Built to Last — why most SMB sites rebuild every 3-4 years (piece 5 of 15)","kind":"reference","scope":"business","link_type":"relates-to"},{"slug":"bricks-cve-2024-25600-exploited-24h","title":"Bricks CVE-2024-25600: unauthenticated RCE (CVSS 10) — exploited in the wild ~24 hours after patch release","kind":"reference","scope":"business","link_type":"depends-on"}]},"created_at":"2026-05-22T19:58:12.798Z","updated_at":"2026-05-22T19:58:12.798Z"}