Skip to content
Business Efficiency

Record 48,185 CVEs Disclosed in 2026 — WordPress Plugins Are the Primary Driver

CVE disclosures hit an all-time record, up 20.6% from 2024. Patchstack reports that third-party WordPress plugins account for the majority of the increase.

· 5 min read
Share on X LinkedIn
Record 48,185 CVEs Disclosed in 2026 — WordPress Plugins Are the Primary Driver

The Number That Keeps Growing

CVE disclosures hit a record 48,185 in 2026, according to Patchstack's State of WordPress Security report. This represents a 20.6% increase over 2024 numbers. The growth is driven largely by vulnerabilities in third-party WordPress plugins — the 60,000+ add-ons that extend WordPress's core functionality but operate outside WordPress's core security team.

Almost every week brings a new report of a WordPress plugin vulnerability. The velocity is not slowing. The plugin ecosystem grows faster than security researchers can audit it, and many plugin developers are solo operators or small teams without dedicated security practices. The result is a vulnerability discovery rate that overwhelms enterprise security teams attempting to maintain WordPress installations.

48,185 (record)
2026 CVE disclosures
20.6% increase over 2024. Source: Patchstack State of WordPress Security 2026.
60,000+ public plugins
WordPress plugin ecosystem
Each with independent security practices. Source: WordPress.org, June 2026.
18,005
WordPress cumulative NVD CVEs
Highest of any web framework in National Vulnerability Database. Source: NVD/NIST, June 2026.

Volume Creates Invisibility

When vulnerability disclosures number in the tens of thousands annually, individual CVEs lose visibility. A CVSS 9.8 authentication bypass in a plugin affecting 500,000 sites gets one news cycle, then is buried by the next disclosure. Enterprise security teams cannot track, evaluate, and patch vulnerabilities at this rate. The volume itself becomes the vulnerability — important patches are missed because they are indistinguishable from the noise.

This is a structural problem, not a people problem. No security team, regardless of size, can effectively process 48,185 vulnerabilities per year — 132 per day. The appropriate response is not more security staff; it is less attack surface.

The Framework Comparison

WordPress's 18,005 cumulative CVEs contrast sharply with modern frameworks. Django has 98 cumulative CVEs. Next.js has 12. Hugo, Astro, and Eleventy have zero. The disparity is not because modern frameworks are younger — Django is older than many WordPress plugins. The disparity is architectural: frameworks without plugin ecosystems, without server-side PHP runtimes, and without database-connected admin panels have fundamentally less attack surface.

98
Django cumulative CVEs
Across 20+ years of releases. Source: NVD/NIST, June 2026.
0
Hugo / Astro / Eleventy CVEs
Zero cumulative CVEs in National Vulnerability Database. Source: NVD/NIST, June 2026.

The Cost Calculation

Each CVE has a response cost: triage, evaluation, testing, patching, deployment, and verification. At 132 WordPress-ecosystem CVEs per day, the annual security maintenance cost for a WordPress installation is not a line item — it is a department. Organizations budgeting for web infrastructure should include the CVE response cost alongside hosting, development, and licensing. For WordPress, that cost is growing 20% annually with no sign of deceleration.

Share this insight