State of WordPress Security In 2026 report by Patchstack in partnership with Monrax reveals that a total of 11,334 new vulnerabilities were identified in the WordPress ecosystem in 2025, marking a 42% increase compared to 2024. About half of high-impact vulnerabilities are exploited within 24 hours of disclosure, and the most heavily targeted ones are often attacked within just five hours.
Also, more high-severity vulnerabilities were discovered in 2025 than in the previous two years combined.
Year-on-Year Increase in WordPress Vulnerabilities
The highly exploitable vulnerabilities in the WordPress ecosystem increased by 113% year over year, rising from 5,948 in 2023 to 7,966 in 2024 and reaching 11,332 in 2025. Out of the 11,334 vulnerabilities, 1966 vulnerabilities (17%) were of high severity.
Of the newly discovered vulnerabilities, 91% were found in plugins and 9% in themes. Only six vulnerabilities were reported in the WordPress core, and all were considered low risk.
Risks in Premium Plugins and Themes
The report identifies premium WordPress plugins and themes as an area of growing concern, noting that these products generally receive less independent security review than free components due to limited access to their source code.
The team discovered 1,983 vulnerabilities tied to premium or freemium components. Now, 59% of those vulnerabilities were of a high-risk nature, while 17% of them were categorized as medium priority and exploitable in more targeted attacks.
What’s more worrying is that the findings confirmed that premium plugins and themes were associated with three times as many Known Exploited Vulnerabilities (KEV) as free alternatives, and 46% of them had no patch at the time of public disclosure.
Vulnerabilities Exploited in Hours, Not Days
The findings indicate that the exploitation begins quickly after vulnerabilities are disclosed. Around half of high-impact vulnerabilities were exploited within 24 hours, and among the most heavily targeted cases, the median time to exploitation was five hours.
Most Targeted Vulnerability Types
Broken Access Control was the most exploited vulnerability in 2025, accounting for 57% of attacks blocked by RapidMitigate. The next most targeted category was Privilege Escalation at 20%, followed by Local File Inclusion at 10%. Other vulnerability types were SQL Injection at 5%, Broken Authentication at 3%, Arbitrary File Upload at 3%, Remote Code Execution at 1%, and Cross-Site Scripting at 1%.
Hosting Companies Under Pressure
Hosting companies are also under increasing pressure as the number of WordPress vulnerabilities grows, along with quicker exploitation times.
The team conducted two pentesting scenarios to see how well common security solutions used by the hosting companies( internal WAFs and Cloudflare) will hold up.
The results revealed that hosting defenses only blocked only 12% of actively exploited WordPress vulnerabilities, and just 26% when a wider range of vulnerabilities was included.
Modern Malware Trends and Stealth Techniques
Monrax’s analysis reveals that injected files in core, plugin, and theme components make traditional “delete-only” defenses ineffective, as highlighted, “The 2025 data demonstrates that signature-based “delete-only” security is no longer sufficient, as attackers increasingly favor compromising legitimate files during peak traffic periods.”
Malicious uploads spiked nearly threefold during Q4 holidays, while uploader scripts doubled mid-year, signaling a shift to multi-stage attacks.
Besides this, malwares are also getting stealthier. Attackers use cloaking to hide malicious content from search engines and AI crawlers while targeting human visitors, as stated, “ The dominant attack families (Japanese SEO, jgalls, Parrot TDS) all use “cloaking” techniques to serve different content based on who visits the website.”
Also, memory-resident threats like Lock360 reinfect cleaned files automatically.
WordPress Security Challenges in 2026
The team noted that the challenges for 2026 will be significant, as securing WordPress sites is becoming more complex as new technologies expand the attack surface. Along with this, attackers are now making use of AI to find and exploit vulnerabilities, while security teams must manage an overwhelming flood of AI-generated security reports.
The EU regulations, including the Cyber Resilience Act, will also increase pressure on teams to implement new security measures, such as mandatory Vulnerability Disclosure Programs (VDPs) for every commercial WordPress plugin.