The 2025 mid-year security report from Patchstack reveals that the WordPress ecosystem saw a record 6,700 new vulnerabilities disclosed in the first half of 2025. 41% of them are exploitable in real-world scenarios, as assessed by Patchstack’s own priority scoring system, up from 30.4% in the same period last year.
XSS Leads as Most Common WordPress Vulnerability in 2025 So Far
Cross-Site Scripting (XSS) is the most frequently reported vulnerability type in the first half of 2025, accounting for 34.7% of all cases, followed by Cross-Site Request Forgery (CSRF) with 19%, while Local File Inclusion (LFI) made up 12.6%. Broken Access Control and SQL Injection (SQLi) are at 10.9% and 7.2% respectively.
Plugins Remain Top Source of WordPress Vulnerabilities
WordPress Plugins were the most exploited component, reporting 89% vulnerabilities, whereas the themes reported 11 % and just one vulnerability in WordPress core.
The number of vulnerabilites discovered in themes so far is more than last year’s total, due to more premium theme developers joining Patchstack’s managed Vulnerability Disclosure Program (mVDP) as highlighted, “ Compared to our data for the first half of 2025, Patchstack’s researchers and bug bounty hunters found more vulnerabilities in themes than they did in 2024. This correlates to a growing number of premium theme developers joining Patchstack’s mVDP program.”
Most WordPress Vulnerabilities Reported Require No Login to Exploit
The report also highlights that 57.6% of reported WordPress vulnerabilities can be exploited without any authentication, meaning attackers don’t need login access to initiate an attack. Besides this 20.6% of flaws require only low-level Contributor permissions, while 11.5% can be triggered by users with basic Subscriber roles.
CVSS vs Patchstack Priority Score
Patchstack’s own Priority Score, which considers real-world exploitability and plugin usage, classifies 41.5% of vulnerabilities as high priority, compared to just 22% under CVSS.
Patchstack says CVSS doesn’t fully reflect the WordPress ecosystem, like flaws that are easy to exploit, affect popular plugins, or are already being targeted, as stated, “ As a general system, the CVSS score doesn’t account for the specifics of the WordPress ecosystem. Patchstack’s Priority Score upgrades severity when a flaw is easy to exploit in the wild, affects a widely used plugin, or is already under attack…”
The report also urges hosting providers and component developers to take appropriate action for the second half of 2025. Hosting providers are encouraged to embed vulnerability intelligence into their platforms, automate vulnerability mitigation, and educate users on the importance of timely updates.
Component developers are advised to strengthen their security practices, particularly with the upcoming Cyber Resilience Act.