Patchstack 2024: 4,166 new vulnerabilities, 96% in plugins, 4% in themes, only 7 in core
Claim (Patchstack 2025 mid-year report):
"In 2024, Patchstack's researchers and bug bounty hunters found 4,166 new security vulnerabilities, with 96% of those vulnerabilities… in plugins and 4% in themes, and only 7 vulnerabilities in Core."
Patchstack mid-2025 update: "In the first half of 2025, only 22% of vulnerabilities received a high or critical CVSS score… 41.5% of vulnerabilities have been classified as exploitable in real life."
Source: https://patchstack.com/whitepaper/state-of-wordpress-security-in-2025/; https://patchstack.com/whitepaper/2025-mid-year-vulnerability-report/
Confidence: Verified.
The architectural lesson: WordPress itself is not the vulnerability surface — plugins are. Per Patchstack 2026: 91% of new WordPress vulnerabilities are in plugins; only 6 CVEs in core the 2026 ratio is even more skewed at 91%. The single most effective security action for a WP site is reducing the plugin count (see RULE: Plugin count is the WordPress security surface. Audit quarterly; one-in, one-out rule.).
Related
Referenced by (6)
- reference Patchstack 2024: 1,614 plugins and themes removed from .org repo for unpatched security issues relates-to
- reference Wordfence 2024: 54 billion malicious requests blocked, ~325-350k sites infected on any given day relates-to
- reference Reference framework: which website dimensions decay vs compound over 10 years (12-dimension matrix) depends-on
- rule RULE: Plugin count is the WordPress security surface. Audit quarterly; one-in, one-out rule. depends-on
- reference Research brief: Built to Last — why most SMB sites rebuild every 3-4 years (piece 5 of 15) relates-to
- reference Bricks CVE-2024-25600: unauthenticated RCE (CVSS 10) — exploited in the wild ~24 hours after patch release depends-on