Experts note that only seven vulnerabilities discovered last year affected the WordPress core. Most of the security holes were discovered in plugins (7,633 vulnerabilities or 96% of their total number); and only a small proportion of them, in themes (326 vulnerabilities or 4% of their total number).
In total, 1,018 bugs were identified in plugins installed more than 100,000 times; while other 115 vulnerable plugins were installed more than 1 million times each, including seven plugins with 10 million installations.
Patchstack experts claim that, despite the impressive number of vulnerabilities, most of them didn’t pose significant threats: 69.6% of the bugs were unlikely to be exploited; other 18.8% could be used in targeted attacks; and only 11.6% were actually used in attacks or recognized likely to be exploited.
Only one-third of the identified vulnerabilities had high-risk or critical CVSS scores.
Patchstack reports that 43% of all security holes discovered in WordPress in 2024 could be exploited without authentication; only some bugs required interaction with an authenticated user.
Other 43% of vulnerabilities required at least low privileges (e.g. contributor or subscriber) to be exploited; while 12% of them required administrator, author, or editor privileges.
Almost half of the WordPress issues documented in 2024 were related to XSS (47.7%); access control violation (14.19%) and CSRF (11.35%) bugs were widespread as well.
Patchstack analysts emphasize that developers of WordPress plugins must take prompt actions to ensure the security of their users. The fact is that last year, 33% of identified vulnerabilities remained unfixed until their public disclosure.
2025.02.01 — Critical RCE vulnerability fixed in Cacti
A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…
Full article →
2025.02.05 — Google patches Android zero-day vulnerability exploited by hackers
Google released the February set of patches for Android. In total, they fix 48 bugs, including a kernel zero-day vulnerability actively exploited by hackers. The zero-day's…
Full article →
2025.03.16 — Researchers force DeepSeek to write malware
According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…
Full article →
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members
The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…
Full article →
2025.03.28 — Zero-day vulnerability in Windows results in NTLM hash leaks
Security experts reported a new zero-day vulnerability in Windows that enables remote attackers to steal NTLM credentials by tricking victims into viewing malicious files in Windows…
Full article →
2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress
According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…
Full article →
2025.01.29 — Google to disable Sync in older Chrome versions
Google announced that in early 2025, Chrome Sync will be disabled in Chrome versions older than four years. Chrome Sync enables users to save and sync their…
Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud
ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…
Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts
Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…
Full article →