<div style="text-align:center"><img src="https://i3.wp.com/www.therepository.email/wp-content/uploads/2024/12/patchstack-repository-ad-block-01.png?ssl=1" class="attachment-post-thumbnail size-post-thumbnail wp-post-image" alt="Patchstack Mid-Year Report Flags Sharp Rise in Exploitable WordPress Vulnerabilities" title="Patchstack Mid-Year Report Flags Sharp Rise in Exploitable WordPress Vulnerabilities" /></div><div>
<p><a href="https://patchstack.com/whitepaper/2025-mid-year-vulnerability-report">Patchstack has published its 2025 mid-year vulnerability report</a>, revealing a sharp rise in both the volume and severity of security issues across the WordPress ecosystem. In the first six months of the year, 6,700 new vulnerabilities were reported, with 41.5% exploitable in real-world conditions — a jump the company says is concerning.</p>
<p>It’s a big increase from the same period last year, when 30.4% of vulnerabilities were considered exploitable. Nearly 58% of those disclosed so far in 2025 can be triggered without any authentication, highlighting the risks posed by automated, large-scale attacks.</p>
<p>The vast majority of vulnerabilities were found in plugins (89%), followed by themes (11%), with just one vulnerability discovered in WordPress core. The most common types remain familiar: Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Broken Access Control, and Local File Inclusion, together accounting for most reported vulnerabilities.</p>
<div class="yarpp yarpp-related yarpp-related-shortcode yarpp-template-list">
<!-- YARPP List --></p>
<hr>
<p><strong style="font-family: Arial, Helvetica, sans-serif;font-size:14px;color:#42619a;letter-spacing:2px"></strong>RELATED NEWS</p>
<ul>
<li style="font-family:Arial, Helvetica, sans-serif;font-size:15px;line-height:20px;margin:0px 0 10px 0"><a href="https://www.therepository.email/patchstack-whitepaper-wordpress-plugin-vulnerabilities-rise-by-34-as-cra-compliance-deadline-nears" rel="bookmark" title="Patchstack Whitepaper: WordPress Plugin Vulnerabilities Rise by 34% as CRA Compliance Deadline Nears">Patchstack Whitepaper: WordPress Plugin Vulnerabilities Rise by 34% as CRA Compliance Deadline Nears</a>
<li style="font-family:Arial, Helvetica, sans-serif;font-size:15px;line-height:20px;margin:0px 0 10px 0"><a href="https://www.therepository.email/patchstack-becomes-top-cve-coordinator-surpassing-microsoft-in-reported-vulnerabilities" rel="bookmark" title="Patchstack Becomes Top CVE Coordinator, Surpassing Microsoft in Reported Vulnerabilities">Patchstack Becomes Top CVE Coordinator, Surpassing Microsoft in Reported Vulnerabilities</a>
<li style="font-family:Arial, Helvetica, sans-serif;font-size:15px;line-height:20px;margin:0px 0 10px 0"><a href="https://www.therepository.email/who-leads-wordpress-businesses-the-data-confirms-its-still-not-women" rel="bookmark" title="Who Leads WordPress Businesses? The Data Confirms It’s (Still) Not Women">Who Leads WordPress Businesses? The Data Confirms It’s (Still) Not Women</a>
<li style="font-family:Arial, Helvetica, sans-serif;font-size:15px;line-height:20px;margin:0px 0 10px 0"><a href="https://www.therepository.email/acf-patches-vulnerability-following-automattic-disclosure-misstep" rel="bookmark" title="ACF patches vulnerability following Automattic disclosure misstep">ACF patches vulnerability following Automattic disclosure misstep</a>
</ul>
<hr>
</div>
<p>Patchstack, which in April became the <a href="https://www.therepository.email/patchstack-becomes-top-cve-coordinator-surpassing-microsoft-in-reported-vulnerabilities">world’s top CVE coordinator</a>, attributes the increase to its growing bug bounty program and researcher community. More than 3,400 valid reports were submitted in the first half of 2025, making the company responsible for nearly 67% of all known WordPress vulnerabilities so far this year.</p>
<p>The report also challenges the reliability of <a href="https://www.first.org/cvss/">CVSS</a> (Common Vulnerability Scoring System) scores as a sole indicator of severity. While only 22% of vulnerabilities were rated high or critical under CVSS, Patchstack’s own scoring, which accounts for exploitability, reach, and active attack data, placed 41.5% in the high-priority category. Patchstack explains in the report: “As a general system, the CVSS score doesn’t account for the specifics of the WordPress ecosystem.”</p>
<p>Hosting companies are urged to take a more proactive role. The report notes that plugin updates often lag behind disclosures, increasing the window of risk. Even when a vulnerability originates in a third-party plugin or theme, hosts may still face reputational fallout and a surge in demand for support.</p>
<p>Theme security is also getting closer attention this year, as more premium developers join Patchstack’s managed vulnerability disclosure program. That trend is expected to accelerate with the EU’s Cyber Resilience Act set to take effect in 2026. Once in force, plugin and theme developers will be legally required to address security vulnerabilities, or face penalties similar to those under the GDPR.</p>
<div class="there-in-article-ads" style="text-align: center;margin: 20 0 20 0;" id="there-3193098876">
<div data-there-trackid="6707" data-there-trackbid="1" data-there-redirect="1" class="there-target" id="there-1870769181"><a data-bid="1" data-no-instant="1" href="https://www.therepository.email/linkout/6707" rel="noopener" class="notrack" target="_blank" aria-label="Patchstack ad"><img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///ywAAAAAAQABAAACAUwAOw==" fifu-lazy="1" fifu-data-sizes="auto" fifu-data-srcset="https://i2.wp.com/www.awordpresscommenter.com/wp-content/uploads/2025/08/patchstack-repository-ad-block-01-1.png?ssl=1&w=75&resize=75&ssl=1 75w, https://i2.wp.com/www.awordpresscommenter.com/wp-content/uploads/2025/08/patchstack-repository-ad-block-01-1.png?ssl=1&w=100&resize=100&ssl=1 100w, https://i2.wp.com/www.awordpresscommenter.com/wp-content/uploads/2025/08/patchstack-repository-ad-block-01-1.png?ssl=1&w=150&resize=150&ssl=1 150w, https://i2.wp.com/www.awordpresscommenter.com/wp-content/uploads/2025/08/patchstack-repository-ad-block-01-1.png?ssl=1&w=240&resize=240&ssl=1 240w, https://i2.wp.com/www.awordpresscommenter.com/wp-content/uploads/2025/08/patchstack-repository-ad-block-01-1.png?ssl=1&w=320&resize=320&ssl=1 320w, https://i2.wp.com/www.awordpresscommenter.com/wp-content/uploads/2025/08/patchstack-repository-ad-block-01-1.png?ssl=1&w=500&resize=500&ssl=1 500w, https://i2.wp.com/www.awordpresscommenter.com/wp-content/uploads/2025/08/patchstack-repository-ad-block-01-1.png?ssl=1&w=640&resize=640&ssl=1 640w, https://i2.wp.com/www.awordpresscommenter.com/wp-content/uploads/2025/08/patchstack-repository-ad-block-01-1.png?ssl=1&w=800&resize=800&ssl=1 800w, https://i2.wp.com/www.awordpresscommenter.com/wp-content/uploads/2025/08/patchstack-repository-ad-block-01-1.png?ssl=1&w=1024&resize=1024&ssl=1 1024w, https://i2.wp.com/www.awordpresscommenter.com/wp-content/uploads/2025/08/patchstack-repository-ad-block-01-1.png?ssl=1&w=1280&resize=1280&ssl=1 1280w, https://i2.wp.com/www.awordpresscommenter.com/wp-content/uploads/2025/08/patchstack-repository-ad-block-01-1.png?ssl=1&w=1600&resize=1600&ssl=1 1600w" fetchpriority="high" decoding="async"src="https://i2.wp.com/www.awordpresscommenter.com/wp-content/uploads/2025/08/patchstack-repository-ad-block-01-1.png?ssl=1" srcset="https://i2.wp.com/www.awordpresscommenter.com/wp-content/uploads/2025/08/patchstack-repository-ad-block-01-1.png?ssl=1 600w, https://www.therepository.email/wp-content/uploads/2024/12/patchstack-repository-ad-block-01-300x250.png 300w" sizes="(max-width: 600px) 100vw, 600px" class="no-lazyload" width="300" height="250"></a></div>
</div>
<p>The full report is <a href="https://patchstack.com/whitepaper/2025-mid-year-vulnerability-report">available for download</a> on the Patchstack website.</p>
<p>The post <a href="https://www.therepository.email/patchstack-mid-year-report-flags-sharp-rise-in-exploitable-wordpress-vulnerabilities">Patchstack Mid-Year Report Flags Sharp Rise in Exploitable WordPress Vulnerabilities</a> appeared first on <a href="https://www.therepository.email/">The Repository</a>.</p>
</div>

Cloudways is bringing back its free Prepathon online event next week, from September 30 to…
Fueled has confirmed layoffs this week, cutting 4–5% of its workforce. But the news reached…
After calling for “more weirdness” in WordPress theme design earlier this year, Nick Hamze has…
FAIR has reached its first major milestone with the release of version 1.0 this week,…
The full chat log is available beginning here on Slack. WordPress Performance Trac tickets @westonruter…
Back in 2011, Jon Penland was selling centrifugal pumping units into the water and wastewater…