In a joint white paper released by Patchstack and Sucuri, alarming new findings reveal that the increasing use of AI-generated code in WordPress plugins may lead to a surge in security vulnerabilities by 2025. The report, titled ‘State of WordPress Security In 2025,’ analyzes the security landscape of the past year and issues critical warnings as the European Union’s Cyber Resilience Act (CRA) looms, mandating developers to disclose severe vulnerabilities by September 2026.
A Rise in AI-Generated Security Flaws
One of the most pressing concerns highlighted in the report is the introduction of vulnerabilities due to AI-generated code. As more developers, including those with limited coding experience, turn to generative AI for creating plugins, the quality and security of the code have come under scrutiny. The report documents a noticeable increase in AI-generated plugins with security flaws, often resulting from negligence or overreliance on AI-generated code.
“WordPress core, plugin, and theme vulnerabilities account for nearly half of all malware infections, with the rest tied to poor security hygiene,” the report states. “As AI-generated code becomes more prevalent, the lack of robust security checks could lead to more widespread exploitation.”
Unpatched and Abandoned Plugins: An Escalating Threat
Alongside the risks posed by AI-generated code, the report sheds light on the dangers of unpatched and abandoned plugins. Despite removal from the WordPress.org repository for security issues, these plugins often remain active on websites, exposing them to attacks. In 2024, a staggering 1,614 plugins were removed due to security concerns, with 1,450 classified as high or medium-priority vulnerabilities.
Impact of the Automattic-WP Engine Dispute
The white paper also examines the fallout from the Automattic-WP Engine dispute, which left WP Engine-hosted sites disconnected from critical WordPress.org updates. This disruption left countless websites without essential security patches, increasing their vulnerability to potential breaches.
“Trust in WordPress.org has been compromised, and the implications for WP Engine customers and the company itself are significant,” the report notes.
Key Security Insights from 2024
- 7,966 new vulnerabilities were reported, a 34% increase from 2023.
- 96% of vulnerabilities were found in plugins; only 4% were in themes.
- Over 500,000 websites were compromised due to security issues.
- More than 43% of new vulnerabilities required no authentication to exploit.
- 52% of all new vulnerabilities were disclosed by Patchstack, while disclosures from WPScan dropped.
Preparing for the Future
The report concludes that WordPress security concerns extend beyond code vulnerabilities, touching on governance issues and the integrity of the WordPress supply chain. As the CRA deadline approaches, organizations must adopt a multi-layered approach to security, integrating strong passwords, two-factor authentication, and thoughtful access management.
“The security of the global web hinges on maintaining the integrity of the WordPress ecosystem,” the report emphasizes, urging businesses to remain vigilant in safeguarding their online presence.
Among other issues with the report, Patchstack’s claimed number of new vulnerabilities is largely a work of fiction. Many of the vulnerabilities are not real. With many supposed vulnerabilities involving an attacker who would already have to have complete control of the website.
Other vulnerability claims are more problematic. We investigated a recent vulnerability claim from Patchstack involving a plugin, WP Visitor Statistics, with 30,000 installs. We found that the vulnerability had already been disclosed in 2023 by WPScan. Patchstack claimed it was fixed in 2023, despite that not being the case. When taking credit for disclosing it again recently, they again said it had been fixed when it hadn’t. It still hasn’t been fixed.
As to the plugins being closed last year, many of those had been known to be vulnerable for years, but remained in the plugin directory. Based on our data, there are currently plugins with at least 20.5 million installs that are known to contain vulnerabilities still in the directory.