{"id":83,"slug":"patchstack-91pct-vulns-in-plugins-2026","title":"Patchstack 2026: 91% of new WordPress vulnerabilities are in plugins; only 6 CVEs in core","kind":"reference","scope":"business","status":"current","audiences":["claude-code","dev","candid-team"],"topics":["tech-stack","wordpress"],"reference_body":"**Quote (Patchstack, State of WordPress Security in 2026):** *\"91% of new vulnerabilities were found in plugins, and 9% were found in themes. There were only 6 vulnerabilities reported in the WordPress core.\"*\n\n**Source:** <https://patchstack.com/whitepaper/state-of-wordpress-security-in-2026/>\n\n**Confidence:** Verified (primary).\n\n**Mechanism:** Each plugin is a separate attack surface, maintained by a separate developer (or no developer). A 30-plugin WordPress site has 30 attack surfaces; a custom Next.js site has its own npm dependency tree but no plugin-as-extension model.\n\n**Note:** Industry rules-of-thumb circulate (20-30 plugins average per business site; WPBeginner runs 62; FatLab Web Support reports 80+ extra files loaded on heavy plugin sites). Those are industry-consensus rules-of-thumb, not measured installed-base data — no host publishes hard averages.","rationale_body":null,"metadata":null,"links":{"outgoing":[],"incoming":[{"slug":"research-brief-marketing-sites-that-do-something","title":"Research brief: What makes a marketing site do something (piece on brochure vs platform)","kind":"reference","scope":"business","link_type":"relates-to"},{"slug":"patchstack-2024-vuln-disclosure-4166-96pct-plugins","title":"Patchstack 2024: 4,166 new vulnerabilities, 96% in plugins, 4% in themes, only 7 in core","kind":"reference","scope":"business","link_type":"relates-to"},{"slug":"wordfence-2024-attack-volume-54b-requests","title":"Wordfence 2024: 54 billion malicious requests blocked, ~325-350k sites infected on any given day","kind":"reference","scope":"business","link_type":"relates-to"}]},"created_at":"2026-05-22T18:58:11.569Z","updated_at":"2026-05-22T18:58:11.569Z"}