WordPress plugins are your biggest security risk: 331 vulnerabilities in one week

In one week in March 2026, security researchers disclosed 331 new WordPress vulnerabilities, nearly all in plugins. This article breaks down the numbers, explains how plugin attacks actually work, and shows what you can do about it.

In the week of March 25, 2026, SolidWP published its weekly vulnerability report. The count: 331 new vulnerabilities. 275 in plugins, 56 in themes, zero in WordPress core. And this wasn't even the worst week of 2026. That honor goes to February 4, when 661 vulnerabilities were disclosed in a single seven-day stretch.

These aren't theoretical risks. They're real entry points that attackers actively scan for, sometimes within hours of disclosure.

TL;DR: WordPress core itself is remarkably secure, with just 2 vulnerabilities in all of 2025. The real attack surface is plugins. Over 11,000 plugin vulnerabilities were disclosed in 2025 alone, nearly 58% exploitable without any login, and attackers begin scanning within 5 hours of disclosure. The average site owner takes 14 days to patch. That gap is where sites get compromised.

Table of contents

The numbers behind the headlines

The scale of WordPress plugin vulnerabilities has grown exponentially. Patchstack's 2026 annual report documents the trajectory:

Year Vulnerabilities disclosed Year-over-year growth
2023 5,943
2024 7,966 +34%
2025 11,334 +42%

That's an average of 218 new vulnerabilities per week in 2025. The WPScan database now contains over 71,000 total vulnerability entries across 15,236 plugins.

Where do these vulnerabilities come from? Not WordPress itself. Of the 11,334 vulnerabilities in 2025, 91% were in plugins, and only 2 were in WordPress core. The WordPress core team does a solid job maintaining security. The problem lives in the ecosystem around it.

And the WordPress ecosystem is enormous. The WordPress.org plugin directory hosts over 60,000 free plugins, with tens of thousands more on premium marketplaces. A typical business site runs 20 to 30 plugins. Each one is an additional attack surface.

The plugin ecosystem has a structural problem that goes beyond individual bugs. Research into the WordPress plugin directory paints a stark picture: over 59% of plugins haven't been updated in two or more years. Another 27% haven't been touched in five. Many of these still have active installations.

An abandoned plugin doesn't just miss new features; it stops receiving security patches. And when a vulnerability is discovered in a plugin whose developer has moved on, there's no one to fix it. Patchstack's data shows that 45–46% of WordPress vulnerabilities in 2025 had no fix available at the time they were publicly disclosed. During the worst week in January 2026, that number hit 71%.

A separate Bitdefender analysis found that nearly 30% of critical vulnerabilities in WordPress plugins are never patched at all. Not eventually. Never.

The vulnerability types tell their own story. According to Patchstack's 2025 statistics, Cross-Site Scripting (XSS) accounts for 40% of all disclosures. But the vulnerabilities that actually get exploited at scale look different: broken access control causes 57% of real-world attacks, followed by privilege escalation at 20%. Attackers don't waste time on XSS when they can simply bypass authentication entirely.

How plugin attacks actually work

Here's the part most articles skip: the timeline of a real attack.

When a vulnerability is publicly disclosed (meaning published to a security database or a researcher's blog), attackers don't wait. Patchstack's 2026 data measured the gap: the weighted median time to first mass exploitation is 5 hours. Not days. Hours. Within 24 hours, 45% of heavily targeted vulnerabilities are under active attack. Within a week, 70%.

The average WordPress site owner applies critical security patches 14 days after they become available. That leaves a minimum 10-day window where the vulnerability is known, the exploit is circulating, and the site is unprotected.

What does exploitation look like in practice? A few real cases from 2025–2026:

LiteSpeed Cache (CVE-2024-28000), installed on 5 million+ sites. A weak hash could be brute-forced to spoof user IDs, granting unauthenticated attackers full admin access. Over 30,000 attacks in the first 24 hours after disclosure.

King Addons for Elementor (CVE-2025-8489): unauthenticated admin account creation through a crafted registration request. Wordfence blocked over 48,400 exploit attempts after mass exploitation started in November 2025.

WPvivid Backup & Migration (CVE-2026-1357): a chained cryptographic fail-open plus path traversal gave unauthenticated attackers remote code execution on 900,000+ sites. CVSS score: 9.8 out of 10.

Notice the pattern. These aren't obscure plugins. They're popular tools with millions of installations. And the critical vulnerabilities are almost always unauthenticated: 57.6% of all WordPress plugin vulnerabilities in H1 2025 required no login at all to exploit. Any internet user can trigger them.

If you want to understand what happens after an attacker gets in, I've written a detailed walkthrough of a WordPress hack from break-in to blacklist.

Supply chain attacks: when the plugin itself is compromised

There's a more unsettling variant of plugin vulnerability: attacks where the plugin's distribution channel itself is compromised. You install or update a plugin through the official channel, and the update contains malicious code.

This isn't hypothetical. It's happened repeatedly:

In June 2024, attackers compromised developer accounts on WordPress.org using passwords from previous data breaches. They injected malware into five plugins (including Social Warfare and Contact Form 7 Multi-Step Addon) that created hidden admin accounts and injected SEO spam. The malicious versions were served through the official WordPress.org update mechanism.

In July 2025, Gravity Forms, one of the most popular premium WordPress plugins, had its official download server compromised. A malicious domain (gravityapi.org) was registered, and tainted versions were distributed containing a backdoor for data exfiltration and remote code execution.

The largest documented supply chain attack hit AccessPress Themes in 2022. 93 products (40 themes and 53 plugins) were backdoored at the company level. A webshell was written into WordPress core's wp-includes/vars.php across 360,000 installations.

These attacks are harder to defend against because the trust model itself breaks. You're doing the right thing, updating your plugins, and that's exactly how the malware gets in.

What you can do about it

Practical steps that actually reduce your risk:

Audit your plugin list. Remove plugins you're not actively using. Every plugin you remove is an attack vector eliminated. Check when each remaining plugin was last updated, and if it hasn't been touched in over a year, look for an actively maintained alternative.

Update fast. Not next week. Not "when I have time." The 5-hour exploitation window means delays have real consequences. Enable automatic updates for plugins you trust, or use a staging environment to test updates quickly before pushing them live.

Check what you install. Before adding a new plugin, look at: last updated date, number of active installations, developer track record, and the support forum (unresolved security reports are a red flag). A plugin with 50 installations and no updates in 18 months is a liability.

Use two-factor authentication. Many plugin vulnerabilities escalate through admin accounts. Even if an attacker exploits a privilege escalation bug, 2FA on admin accounts adds a barrier to the highest-impact actions.

Monitor for known vulnerabilities. Tools like Patchstack and Wordfence maintain real-time databases of WordPress plugin vulnerabilities and can alert you when a plugin on your site is affected.

When patching alone isn't enough

Here's the uncomfortable truth: even if you patch diligently, you can't patch fast enough for every vulnerability. With 218 new ones per week and a 5-hour median exploitation window, there will always be a gap between disclosure and your update.

This is where layered security earns its keep. A Web Application Firewall can block known attack patterns at the network level before they reach your WordPress installation. But standard WAFs have a limitation: Patchstack's data found that traditional WAFs block only 12–26% of WordPress-specific attacks because they lack application context.

That's where virtual patching comes in: targeted firewall rules that understand the specific vulnerability's parameters (which plugin, which endpoint, which request pattern) and block exactly that exploit. Patchstack's RapidMitigate system, for example, can deploy virtual patches up to 48 hours before public disclosure through their bug bounty program, closing the window before attackers even know it's open.

The difference between managed and unmanaged hosting becomes most visible in these gaps. A site on shared hosting with manual updates has that 14-day average exposure window. A managed environment with automatic updates, vulnerability monitoring, and virtual patching shrinks it to hours, or eliminates it entirely for known threats.

That said, no single layer solves everything. Virtual patching protects against known vulnerabilities. It doesn't catch a zero-day in a plugin nobody has audited, and it doesn't help if the plugin developer's own infrastructure is compromised. Security is layers, not a single product.

WordPress.org is also strengthening its own defenses. In October 2025, the Plugin Check tool was updated to automatically scan every plugin update (not just new submissions) for security issues. It's a meaningful step toward catching vulnerabilities before they reach the directory.

Key takeaways

  • WordPress core is secure. Plugins are where 91% of vulnerabilities live.
  • Over 11,000 plugin vulnerabilities were disclosed in 2025, up 42% from 2024.
  • Attackers start scanning within 5 hours of disclosure. The average site owner patches after 14 days.
  • 57.6% of plugin vulnerabilities require no authentication to exploit.
  • Audit your plugin list, remove what you don't use, and update what you keep. Fast.
  • Layered defenses (WAF + virtual patching + monitoring) close the gap that patching alone can't.

Want fewer security surprises?

Staying safe is routine work: patching, monitoring, backups and defense-in-depth—done consistently.

See WordPress maintenance

  1. Cloudflare just launched EmDash, and its plugin sandbox is the real story

    Cloudflare announced EmDash on April 1, 2026. It isn't a WordPress replacement yet, but the capability-based plugin sandbox is the most interesting rethink of plugin security I've seen in years.

    2027 words
  2. What does it cost to outsource WordPress maintenance in 2026?

    Search for 'WordPress maintenance' and you'll find packages from €12 to over €200 per month. That's a huge gap for something everybody calls the same thing. This article explains where the difference actually comes from, and what you're paying for when you pay more.

    1803 words
  3. WordPress maintenance: outsource or do it yourself?

    Most business owners think WordPress maintenance means clicking the update button. That's maybe ten percent of the work. The other ninety percent is where sites quietly break, and it's the part nobody shows you in a sales pitch.

    1660 words

Start typing to search, or browse the knowledge base and blog.