The Number That Keeps Growing
CVE disclosures hit a record 48,185 in 2026, according to Patchstack's State of WordPress Security report. This represents a 20.6% increase over 2024 numbers. The growth is driven largely by vulnerabilities in third-party WordPress plugins — the 60,000+ add-ons that extend WordPress's core functionality but operate outside WordPress's core security team.
Almost every week brings a new report of a WordPress plugin vulnerability. The velocity is not slowing. The plugin ecosystem grows faster than security researchers can audit it, and many plugin developers are solo operators or small teams without dedicated security practices. The result is a vulnerability discovery rate that overwhelms enterprise security teams attempting to maintain WordPress installations.
Volume Creates Invisibility
When vulnerability disclosures number in the tens of thousands annually, individual CVEs lose visibility. A CVSS 9.8 authentication bypass in a plugin affecting 500,000 sites gets one news cycle, then is buried by the next disclosure. Enterprise security teams cannot track, evaluate, and patch vulnerabilities at this rate. The volume itself becomes the vulnerability — important patches are missed because they are indistinguishable from the noise.
This is a structural problem, not a people problem. No security team, regardless of size, can effectively process 48,185 vulnerabilities per year — 132 per day. The appropriate response is not more security staff; it is less attack surface.
The Framework Comparison
WordPress's 18,005 cumulative CVEs contrast sharply with modern frameworks. Django has 98 cumulative CVEs. Next.js has 12. Hugo, Astro, and Eleventy have zero. The disparity is not because modern frameworks are younger — Django is older than many WordPress plugins. The disparity is architectural: frameworks without plugin ecosystems, without server-side PHP runtimes, and without database-connected admin panels have fundamentally less attack surface.
The Cost Calculation
Each CVE has a response cost: triage, evaluation, testing, patching, deployment, and verification. At 132 WordPress-ecosystem CVEs per day, the annual security maintenance cost for a WordPress installation is not a line item — it is a department. Organizations budgeting for web infrastructure should include the CVE response cost alongside hosting, development, and licensing. For WordPress, that cost is growing 20% annually with no sign of deceleration.


