WordPress CVEs Surpass 18,000 in 2026

CVE Proliferation Among Detected Frameworks

WordPress has exceeded 18,000 cumulative vulnerabilities in 2026, according to the WordPress.org security database. This figure includes 3,200 new entries reported in the first half of the year alone.

The surge follows a June 2026 update that added 3 million sites using UpdraftPlus, a plugin with a critical vulnerability rated CVSS 9.8. This flaw affected 1 million installations managed by Burst Statistics, a hosting provider.

Kirki, a popular theme customization framework, reported 500,000 active installations in June 2026. Its latest vulnerability disclosure highlights ongoing risks in plugin ecosystems.

June 2026 Exposure Metrics

Aggregate exposure from June 2026 updates exceeds 5 million installations. This includes 3 million UpdraftPlus users, 1 million Burst Statistics clients, and 500,000 Kirki adopters. These figures represent 12% of all WordPress sites.

Comparative analysis shows Hugo, a static site generator, remains unaffected with zero reported CVEs in 2026. This contrasts sharply with WordPress's 18,005 cumulative vulnerabilities.

Mitigation Strategies

WordPress administrators are urged to enable automatic updates and audit plugin repositories. The WordPress Security Team recommends disabling plugins with unpatched vulnerabilities.

Burst Statistics has implemented emergency patches for its 1 million affected clients. UpdraftPlus released a security update in mid-June 2026, though 20% of users remain unpatched.

Industry Implications

The 2026 data underscores the need for stricter plugin vetting processes. Over 60% of WordPress vulnerabilities originate from plugins not maintained by core developers.