Patchstack 2026: 91% of new WordPress vulnerabilities are in plugins; only 6 CVEs in core
Quote (Patchstack, State of WordPress Security in 2026): "91% of new vulnerabilities were found in plugins, and 9% were found in themes. There were only 6 vulnerabilities reported in the WordPress core."
Source: https://patchstack.com/whitepaper/state-of-wordpress-security-in-2026/
Confidence: Verified (primary).
Mechanism: Each plugin is a separate attack surface, maintained by a separate developer (or no developer). A 30-plugin WordPress site has 30 attack surfaces; a custom Next.js site has its own npm dependency tree but no plugin-as-extension model.
Note: Industry rules-of-thumb circulate (20-30 plugins average per business site; WPBeginner runs 62; FatLab Web Support reports 80+ extra files loaded on heavy plugin sites). Those are industry-consensus rules-of-thumb, not measured installed-base data — no host publishes hard averages.
Referenced by (3)
- reference Research brief: What makes a marketing site do something (piece on brochure vs platform) relates-to
- reference Patchstack 2024: 4,166 new vulnerabilities, 96% in plugins, 4% in themes, only 7 in core relates-to
- reference Wordfence 2024: 54 billion malicious requests blocked, ~325-350k sites infected on any given day relates-to