Experts note that only seven vulnerabilities discovered last year affected the WordPress core. Most of the security holes were discovered in plugins (7,633 vulnerabilities or 96% of their total number); and only a small proportion of them, in themes (326 vulnerabilities or 4% of their total number).
In total, 1,018 bugs were identified in plugins installed more than 100,000 times; while other 115 vulnerable plugins were installed more than 1 million times each, including seven plugins with 10 million installations.
Patchstack experts claim that, despite the impressive number of vulnerabilities, most of them didn’t pose significant threats: 69.6% of the bugs were unlikely to be exploited; other 18.8% could be used in targeted attacks; and only 11.6% were actually used in attacks or recognized likely to be exploited.
Only one-third of the identified vulnerabilities had high-risk or critical CVSS scores.
Patchstack reports that 43% of all security holes discovered in WordPress in 2024 could be exploited without authentication; only some bugs required interaction with an authenticated user.
Other 43% of vulnerabilities required at least low privileges (e.g. contributor or subscriber) to be exploited; while 12% of them required administrator, author, or editor privileges.
Almost half of the WordPress issues documented in 2024 were related to XSS (47.7%); access control violation (14.19%) and CSRF (11.35%) bugs were widespread as well.
Patchstack analysts emphasize that developers of WordPress plugins must take prompt actions to ensure the security of their users. The fact is that last year, 33% of identified vulnerabilities remained unfixed until their public disclosure.
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign
According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…
Full article →
2025.01.26 — Cisco patched a critical vulnerability in Meeting Management
Cisco released updates to fix a critical (CVSS score: 9.9) vulnerability in Meeting Management. The bug enables an unprivileged remote authenticated attacker to gain administrative privileges. The vulnerability…
Full article →
2025.03.05 — Polish Space Agency disconnects its network due to hacker attack
Last weekend, the Polish Space Agency (POLSA) had to disconnect all of its systems from the Internet to localize an attack targeting its IT infrastructure. After discovering the intrusion,…
Full article →
2025.03.24 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud
Amazon announced that the privacy option allowing users of Echo speakers to avoid sending their voice recordings to the company's cloud will no longer be supported. Effective March…
Full article →
2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies
GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…
Full article →
2025.01.29 — Google to disable Sync in older Chrome versions
Google announced that in early 2025, Chrome Sync will be disabled in Chrome versions older than four years. Chrome Sync enables users to save and sync their…
Full article →
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members
The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…
Full article →
2025.03.07 — YouTube warns of scam video featuring its CEO
According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…
Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…
Full article →