Experts note that only seven vulnerabilities discovered last year affected the WordPress core. Most of the security holes were discovered in plugins (7,633 vulnerabilities or 96% of their total number); and only a small proportion of them, in themes (326 vulnerabilities or 4% of their total number).
In total, 1,018 bugs were identified in plugins installed more than 100,000 times; while other 115 vulnerable plugins were installed more than 1 million times each, including seven plugins with 10 million installations.
Patchstack experts claim that, despite the impressive number of vulnerabilities, most of them didn’t pose significant threats: 69.6% of the bugs were unlikely to be exploited; other 18.8% could be used in targeted attacks; and only 11.6% were actually used in attacks or recognized likely to be exploited.
Only one-third of the identified vulnerabilities had high-risk or critical CVSS scores.
Patchstack reports that 43% of all security holes discovered in WordPress in 2024 could be exploited without authentication; only some bugs required interaction with an authenticated user.
Other 43% of vulnerabilities required at least low privileges (e.g. contributor or subscriber) to be exploited; while 12% of them required administrator, author, or editor privileges.
Almost half of the WordPress issues documented in 2024 were related to XSS (47.7%); access control violation (14.19%) and CSRF (11.35%) bugs were widespread as well.
Patchstack analysts emphasize that developers of WordPress plugins must take prompt actions to ensure the security of their users. The fact is that last year, 33% of identified vulnerabilities remained unfixed until their public disclosure.
2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies
GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…
Full article →
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign
According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…
Full article →
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024
According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…
Full article →
2025.03.28 — Zero-day vulnerability in Windows results in NTLM hash leaks
Security experts reported a new zero-day vulnerability in Windows that enables remote attackers to steal NTLM credentials by tricking victims into viewing malicious files in Windows…
Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder
According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…
Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store
According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…
Full article →
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks
Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…
Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud
ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…
Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic
Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…
Full article →
2025.03.26 — Cloudflare to block all unencrypted traffic to its APIs
According to Cloudflare, effective immediately, only secure HTTPS connections to api.cloudflare.com will be accepted; while all HTTP ports are to be closed. The purpose of this decision…
Full article →