Patchstack has published its 2025 mid-year vulnerability report, revealing a sharp rise in both the volume and severity of security issues across the WordPress ecosystem. In the first six months of the year, 6,700 new vulnerabilities were reported, with 41.5% exploitable in real-world conditions — a jump the company says is concerning.
It’s a big increase from the same period last year, when 30.4% of vulnerabilities were considered exploitable. Nearly 58% of those disclosed so far in 2025 can be triggered without any authentication, highlighting the risks posed by automated, large-scale attacks.
The vast majority of vulnerabilities were found in plugins (89%), followed by themes (11%), with just one vulnerability discovered in WordPress core. The most common types remain familiar: Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Broken Access Control, and Local File Inclusion, together accounting for most reported vulnerabilities.
Patchstack, which in April became the world’s top CVE coordinator, attributes the increase to its growing bug bounty program and researcher community. More than 3,400 valid reports were submitted in the first half of 2025, making the company responsible for nearly 67% of all known WordPress vulnerabilities so far this year.
The report also challenges the reliability of CVSS (Common Vulnerability Scoring System) scores as a sole indicator of severity. While only 22% of vulnerabilities were rated high or critical under CVSS, Patchstack’s own scoring, which accounts for exploitability, reach, and active attack data, placed 41.5% in the high-priority category. Patchstack explains in the report: “As a general system, the CVSS score doesn’t account for the specifics of the WordPress ecosystem.”
Hosting companies are urged to take a more proactive role. The report notes that plugin updates often lag behind disclosures, increasing the window of risk. Even when a vulnerability originates in a third-party plugin or theme, hosts may still face reputational fallout and a surge in demand for support.
Theme security is also getting closer attention this year, as more premium developers join Patchstack’s managed vulnerability disclosure program. That trend is expected to accelerate with the EU’s Cyber Resilience Act set to take effect in 2026. Once in force, plugin and theme developers will be legally required to address security vulnerabilities, or face penalties similar to those under the GDPR.
The full report is available for download on the Patchstack website.
The post Patchstack Mid-Year Report Flags Sharp Rise in Exploitable WordPress Vulnerabilities appeared first on The Repository.
April 9-11, 2026 | Jio World Convention Centre, Mumbai, India WordCamp Asia 2026 brings the…
The second Release Candidate (“RC2”) for WordPress 7.0 is ready for download and testing! This…
When WP Engine acquired WPackagist on March 12, the WordPress developer community faced a familiar…
The first Release Candidate (“RC1”) for WordPress 7.0 is ready for download and testing! This…
WordPress 7.0 Beta 5 is ready for download and testing! This version of the WordPress…
WordPress 6.9.4 is now available! WordPress 6.9.2 and WordPress 6.9.3 were released yesterday, addressing 10…