Patchstack Whitepaper: WordPress Plugin Vulnerabilities Rise by 34% as CRA Compliance Deadline Nears

Patchstack’s 2025 WordPress Security report reveals increased vulnerabilities, inadequate developer responses, and highlights the need for improved security practices before the Cyber Resilience Act.

Rae Morey

·

March 20, 2025

Patchstack’s State of WordPress Security in 2025 report highlights another record-breaking year for reported WordPress vulnerabilities and warns that the community is not ready for the European Union’s new Cyber Resilience Act (CRA).

In 2024, security researchers uncovered 7,966 new vulnerabilities in the WordPress ecosystem—a 34% increase from the previous year, averaging 22 vulnerabilities per day. Plugins continue to dominate as the primary weak point, accounting for 96% of all reported issues. Notably, 43% of the vulnerabilities required no authentication to exploit, leaving websites particularly vulnerable to automated attacks.

Oliver Sild, CEO of Patchstack, told The Repository that the most critical takeaway from this year’s report is that developers should expect more scrutiny and vulnerability reports than ever before.

“Plugin developers should understand there are more eyes than ever on the security of their plugins,” Sild said. “Every developer should anticipate receiving a vulnerability report next year. What’s crucial is how they handle these reports and whether they have proper vulnerability disclosure programs in place. This will significantly influence end-user trust.”

The report reveals a troubling gap in security practices: more than half of the plugin developers contacted by Patchstack in 2024 failed to release a fix before public disclosure. In total, 33% of all reported vulnerabilities remained unpatched when publicly disclosed, leaving thousands of websites exposed.

Sild attributed the delays to a lack of formal processes for handling security reports, which are often routed through customer support channels—sometimes inaccessible without a premium license. “There are also a lot of plugins that aren’t actively maintained anymore,” he added.

The problem of abandoned plugins continues to grow. In 2024, Patchstack’s bug hunting community contributed to the removal of 1,614 vulnerable plugins and themes from WordPress.org, yet many remain installed on live websites.

The report dispels a common misconception that popular plugins are inherently safer. Over 1,000 vulnerabilities were discovered in plugins with more than 100,000 active installs, including severe flaws in popular plugins such as LiteSpeed Cache, Really Simple SSL, Better Search Replace, and The Events Calendar. In 2024, Patchstack paid out its largest-ever bounty—$16,400—to researcher John Blackbourn for discovering a critical privilege escalation vulnerability in LiteSpeed Cache.

Sild said relying on plugin updates alone was no longer enough, pointing to a Remote Code Execution vulnerability in Bricks Builder that was exploited within hours of public disclosure. Many generic Web Application Firewalls (WAFs), including Cloudflare and ModSec, failed to stop the attack due to limited visibility into WordPress-specific threats.

BigScoots is a funny name. We get it. But 14+ years of 5-star client reviews also prove that we take clients' Managed Hosting for WordPress services very seriously. See for yourself.

“Patchstack vPatching is just taking away that exposure when updates are not available and to keep the website protected before it has been updated to a patched version,” Sild said. “It’s all about the speed to mitigation, and mitigating security vulnerabilities is one of the most important thing because up to a half of all WordPress websites that get hacked, it’s caused by those vulnerabilities.”

The CRA, Sild noted, could become a “GDPR moment” for WordPress developers, forcing a cultural shift toward formalized security practices across the ecosystem. To help developers ahead of its enforcement in 2026, Patchstack launched a free managed Vulnerability Disclosure Platform (mVDP) in September 2024, supported by the European Commission. The initiative helps plugin developers streamline security reporting and meet new regulatory obligations.

Sild argues WordPress leadership has an opportunity—and a responsibility—to lead by example. “I think WordPress has a great opportunity to be a trailblazer, to show how the open source ecosystem can adopt the Cyber Resilience Act and take software and supply chain security to a more mature level,” he said. “It’s not just an opportunity to improve WordPress’s reputation, but it’s also a necessity.”

The report flags growing community concerns around supply chain governance, as the ongoing dispute between WP Engine and Automattic has exposed risks beyond code—highlighting how trust and transparent security processes are now critical to the project’s long-term stability.

Patchstack is already working alongside key figures in the WordPress security community to address these challenges. Last weekend, Néstor Angulo de Ugarte, Patchstack’s Head of Engineering and Security, and Blackbourn, who’s the WordPress Security Team rep and Director of WordPress Security at Human Made, led a project at the CloudFest Hackathon focused on strengthening the supply chain for open source software.

Looking ahead, the report warns that AI is reshaping the threat landscape. Patchstack predicts that AI-powered tools will accelerate the exploitation of vulnerabilities, including those previously considered low priority, by enabling faster creation of attack scripts and more advanced malware.

Disclaimer: Patchstack is a Community Sponsor of The Repository. As per our Advertising Policy, Patchstack did not influence the reporting of this story.