WordPress Plugin Security Is a Dumpster Fire: 11,000+ Vulnerabilities in One Year

331 new WordPress plugin vulnerabilities in a single week. That’s not a bug. That’s an entire ecosystem on fire.

WordPress powers 43% of all websites on the internet. That’s roughly 605 million sites.

Its plugin ecosystem has become the single largest attack surface on the web. In 2025 alone, Patchstack documented 11,334 new vulnerabilities — a 42% increase from the year before. 91% of them were in plugins. WordPress core had just 2.

This isn’t a problem that’s getting better. It’s accelerating.

⚡ 30-Second Verdict

• 11,334 new WordPress vulnerabilities in 2025 — 42% increase from 2024
• 91% from plugins — WordPress core is fine, the ecosystem is the problem
• 46% unpatched before disclosure — attackers know about the flaw before there’s a fix
• 45% exploited within 24 hours — you have hours, not days, to respond
• 331 new vulnerabilities in a single week (March 25, 2026)
• CVSS 10.0 exploit (Modular DS) gave anyone unauthenticated admin access
• Supply-chain attacks now inject malware through legitimate plugin updates
• Wordfence free delays security rules by 30 days — you’re unprotected during the most critical window
• Best protection: Minimize plugins, use Cloudflare WAF (free), or leave WordPress entirely

The Numbers Are Getting Worse

Vulnerability Growth (Year-over-Year)

The trend line is horrifying:

• 2023: ~5,600 vulnerabilities
• 2024: 7,966 vulnerabilities (+42%)
• 2025: 11,334 vulnerabilities (+42% again)

That’s not linear growth. It’s compounding. At this rate, 2026 will see 16,000+ new WordPress ecosystem vulnerabilities.

March 2026: A Typical Month

SolidWP tracks weekly vulnerabilities. Here’s what March 2026 looked like:

• Week of March 4: 281 vulnerabilities (108 plugins, 173 themes) — 225 unpatched
• Week of March 11: 209 vulnerabilities (98 plugins, 111 themes) — 134 unpatched
• Week of March 18: 159 vulnerabilities (6 core, 130 plugins, 23 themes) — 46 unpatched
• Week of March 25: 331 vulnerabilities (275 plugins, 56 themes) — 120 unpatched

That’s 980 new vulnerabilities in a single month. An average of 35 per day. And between 15-80% of them were unpatched at the time of disclosure.

The Worst Offenders

Modular DS Plugin: CVSS 10.0 (The Perfect Score of Failure)

In January 2026, security researchers discovered CVE-2026-23550 in the Modular DS plugin — a vulnerability scoring 10.0 out of 10.0 on the CVSS severity scale. That’s the maximum possible score. It means:

• No authentication required — anyone can exploit it
• No user interaction needed — the attacker just sends a request
• Full admin access — complete control of the website

The attack was simple: append ?origin=mo&type=xxx to a URL, and you’re an admin. 40,000+ sites ran this plugin.

This was actively exploited in the wild before most sites could update.

WPvivid Backup & Migration: Remote Code Execution on 900,000 Sites

CVE-2026-1357 affected WPvivid, installed on nearly 900,000 sites. CVSS 9.8. The vulnerability allowed unauthenticated attackers to upload arbitrary files and execute code on the server — full remote code execution without logging in.

The cause? Improper RSA decryption error handling combined with insufficient path sanitization. A backup plugin — something you install to protect your site — became the vector for its compromise.

Ally Plugin: SQL Injection on 400,000+ Sites

CVE-2026-2413 allowed SQL injection through the URL path itself. No authentication needed. 400,000+ active installations. The patch didn’t arrive until February 23, 2026 — weeks after disclosure.

The 46% Problem: Unpatched Before Disclosure

Here’s what makes WordPress plugin security fundamentally broken: 46% of vulnerabilities have no patch available when they’re publicly disclosed.

This means:

1. Security researcher finds a vulnerability
2. Contacts the plugin developer (responsible disclosure)
3. Developer doesn’t fix it within the standard 90-day window
4. Vulnerability gets published — now attackers know about it
5. There is no fix. Your only option is to deactivate the plugin.

Meanwhile, attackers move fast:

• 20% of vulnerabilities are exploited within 6 hours of disclosure
• 45% within 24 hours
• 70% within 7 days

So almost half of all vulnerabilities are disclosed without a patch, and attackers start exploiting within hours. The math doesn’t work in your favor.

Supply-Chain Attacks: The New Nightmare

In 2025-2026, the threat evolved. Attackers stopped just exploiting existing vulnerabilities — they started compromising the plugins themselves.

How Supply-Chain Attacks Work

1. Attacker gains access to a plugin developer’s account (or the plugin’s source repository)
2. Injects malicious code into a legitimate plugin update
3. The update auto-installs on every site running that plugin
4. Malware is now running on thousands of sites, delivered through the official WordPress update system

Real Examples

Gravity Forms (July 2025): One of WordPress’s most popular form plugins was hit with a supply-chain attack. Infected downloads affected both manual installations and Composer packages.

January 2026 Malware Campaign: Wordfence discovered malware disguised as “WP-antymalwary-bot.php” — deliberately misspelled to look like a security plugin. It was distributed through compromised plugin updates.

The Scale: According to Patchstack, over 2 million websites received compromised updates in one major supply-chain incident before detection. 92% of successful WordPress breaches in 2025 came from plugins and themes — not WordPress core.

This is the fundamental problem: WordPress’s strength (extensibility) is also its fatal weakness. Every plugin is a potential entry point, and the update system that’s supposed to keep you safe is now the attack vector.

Wordfence Free: The 30-Day Security Gap

Many WordPress users rely on Wordfence for protection. The free version is installed on millions of sites.

Here’s what most users don’t know: Wordfence Free delays firewall rules and malware signatures by 30 days compared to the premium version.

Think about what that means given the data above:

• 45% of vulnerabilities are exploited within 24 hours
• 70% are exploited within 7 days
• Wordfence Free doesn’t protect you for 30 days

You’re unprotected during the entire critical window. By the time Wordfence Free updates its rules, the vulnerability has been actively exploited for a month. The free version is essentially security theater for active threats.

Premium costs $119/year. That’s per site. If you run 5 WordPress sites, that’s $595/year just for basic real-time protection.

What Actually Protects You

1. Cloudflare WAF (Free)

Cloudflare’s free tier includes a Web Application Firewall that catches many WordPress exploits at the network edge — before they reach your server. It’s not WordPress-specific, but it blocks common attack patterns (SQL injection, XSS, path traversal) that account for the majority of plugin exploits.

It’s free. There’s no reason not to use it.

2. Minimize Plugins (Radical Reduction)

Every plugin is an attack surface. The math is simple:

• 20 plugins = 20 potential entry points
• 5 plugins = 5 potential entry points
• 0 plugins = 0 plugin-based entry points

Audit every plugin. Ask: “Is there a way to do this without a plugin?” For many features (analytics, forms, SEO), the answer is yes — through code or external services that don’t run on your server.

3. Static Site Generators (The Nuclear Option)

A static site has no server-side code running. No database. No plugins executing on the server. No WordPress. No attack surface.

If your site is primarily content (blog, documentation, marketing site), a static generator eliminates the entire category of server-side vulnerabilities. I wrote about this in How to Start a Blog Without WordPress Bullshit and Best WordPress Blog Alternatives.

The site you’re reading right now doesn’t run on WordPress. It’s a static site behind Cloudflare. Plugin vulnerabilities aren’t my problem anymore.

The Bottom Line

WordPress itself is fine. Two core vulnerabilities in 2025. The WordPress team does good security work.

The plugin ecosystem is on fire. 11,334 vulnerabilities in one year. 331 in a single week. A CVSS 10.0 exploit giving anyone admin access. Supply-chain attacks injecting malware through official update channels. 46% of vulnerabilities unpatched before disclosure. Attackers exploiting within hours.

605 million websites run on WordPress. The plugin ecosystem that powers most of them is fundamentally insecure, and the trajectory is getting worse — 42% more vulnerabilities year over year, compounding.

Every plugin you install is a bet that its developer will patch vulnerabilities faster than attackers can exploit them. With 46% of developers failing to patch before disclosure and attackers moving within hours, you’re losing that bet almost half the time.

If you need WordPress for e-commerce, membership sites, or complex web applications — minimize plugins, use Cloudflare WAF, invest in Wordfence Premium, and monitor SolidWP’s weekly reports.

If you don’t need WordPress — if you’re running a blog, a portfolio, or a marketing site — stop using it. There are faster, safer alternatives that eliminate the entire problem.

Don’t Trust Me — Verify Everything

• Patchstack: State of WordPress Security 2026 (full report)
• SolidWP: WordPress Vulnerability Report — March 25, 2026
• CVE-2026-23550: Modular DS CVSS 10.0 (The Hacker News)
• CVE-2026-1357: WPvivid RCE on 900K sites (BleepingComputer)
• CVE-2026-2413: Ally SQL injection, 400K+ sites (SecurityWeek)
• Gravity Forms supply-chain attack (Patchstack)
• Wordfence Free vs Premium (30-day delay)
• WordPress market share (W3Techs)

---

Full disclosure: I make $0 from every product mentioned in this article. No affiliate relationships with WordPress, Cloudflare, Wordfence, or any WordPress alternative. This article exists because 605 million websites deserve to know what’s happening in the ecosystem they depend on.