In 2024, the WordPress ecosystem experienced a significant surge in reported vulnerabilities, with security researchers identifying 7,966 new issues, marking a 34% increase from the previous year.

A vast majority of these vulnerabilities—96%—were found in plugins, while themes accounted for 4%. Notably, only seven vulnerabilities were associated with the WordPress core itself.
Despite the high number of reported vulnerabilities, most were deemed low to medium severity, with over two-thirds falling into these categories.
However, 43% of these vulnerabilities could be exploited without authentication, posing significant security risks. The most prevalent issues included cross-site scripting (47.7%), broken access control (14.19%), and cross-site request forgery (11.35%).
A concerning finding from 2024 was that over half of the plugin developers notified about vulnerabilities did not patch the issues before public disclosure, raising questions about the readiness of the WordPress ecosystem to handle such security challenges.

This surge in vulnerabilities underscores the critical need for website administrators and developers to remain vigilant. Regularly updating plugins and themes, conducting security audits, and implementing robust security measures are essential steps to safeguard websites against potential threats.