Experts note that only seven vulnerabilities discovered last year affected the WordPress core. Most of the security holes were discovered in plugins (7,633 vulnerabilities or 96% of their total number); and only a small proportion of them, in themes (326 vulnerabilities or 4% of their total number).
In total, 1,018 bugs were identified in plugins installed more than 100,000 times; while other 115 vulnerable plugins were installed more than 1 million times each, including seven plugins with 10 million installations.
Patchstack experts claim that, despite the impressive number of vulnerabilities, most of them didn’t pose significant threats: 69.6% of the bugs were unlikely to be exploited; other 18.8% could be used in targeted attacks; and only 11.6% were actually used in attacks or recognized likely to be exploited.
Only one-third of the identified vulnerabilities had high-risk or critical CVSS scores.
Patchstack reports that 43% of all security holes discovered in WordPress in 2024 could be exploited without authentication; only some bugs required interaction with an authenticated user.
Other 43% of vulnerabilities required at least low privileges (e.g. contributor or subscriber) to be exploited; while 12% of them required administrator, author, or editor privileges.
Almost half of the WordPress issues documented in 2024 were related to XSS (47.7%); access control violation (14.19%) and CSRF (11.35%) bugs were widespread as well.
Patchstack analysts emphasize that developers of WordPress plugins must take prompt actions to ensure the security of their users. The fact is that last year, 33% of identified vulnerabilities remained unfixed until their public disclosure.
2025.03.28 — Zero-day vulnerability in Windows results in NTLM hash leaks
Security experts reported a new zero-day vulnerability in Windows that enables remote attackers to steal NTLM credentials by tricking victims into viewing malicious files in Windows…
Full article →
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members
The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…
Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails
The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…
Full article →
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals
Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…
Full article →
2025.03.07 — YouTube warns of scam video featuring its CEO
According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…
Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello
Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…
Full article →
2025.01.22 — Fake Homebrew Infects macOS and Linux Machines with infostealer
Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.…
Full article →
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI
The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…
Full article →
2025.01.26 — Cisco patched a critical vulnerability in Meeting Management
Cisco released updates to fix a critical (CVSS score: 9.9) vulnerability in Meeting Management. The bug enables an unprivileged remote authenticated attacker to gain administrative privileges. The vulnerability…
Full article →
2025.03.24 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud
Amazon announced that the privacy option allowing users of Echo speakers to avoid sending their voice recordings to the company's cloud will no longer be supported. Effective March…
Full article →