Skip to content
Business Efficiency

WordPress Has 18,005 CVEs. It Added Zero Official Releases Last Year.

Vulnerability discovery outpaces feature development. More researchers file bugs than developers ship code.

· 4 min read
Share on X LinkedIn
WordPress Has 18,005 CVEs. It Added Zero Official Releases Last Year.

The Ratio That Matters

WordPress has accumulated 18,005 CVEs in the National Vulnerability Database. Four are rated critical. Twenty-three are rated high-severity. The number continues to grow. What does not continue to grow is the rate of official releases. In the last twelve months, WordPress shipped zero major releases. The project's GitHub repository shows 21,204 stars and approximately 1,679 commits per year — a respectable level of activity for maintenance, but not for a platform that serves as the foundation for a significant portion of detected websites.

The arithmetic is straightforward. When vulnerability discovery outpaces feature development, a project has transitioned from building to defending. WordPress is not evolving. It is being excavated.

18,005
WordPress total CVEs
Source: NVD/NIST (June 2026)
4 critical, 23 high
Critical / High severity
Source: NVD/NIST (June 2026)
0
Official releases (last 12 months)
Source: WordPress.org Release Archive (June 2026)

What the Comparison Reveals

Hugo, the static site generator, has zero CVEs. Not zero critical CVEs — zero CVEs of any kind, ever. FastAPI has 39 total CVEs across its entire history. Next.js has 92 CVEs but also logged 5,870 commits in the past year, reflecting a project that ships features alongside security fixes. The ratio of vulnerabilities to development velocity tells you whether a project is growing or eroding.

WordPress's 18,005 CVEs do not mean 18,005 active exploits. Many are in plugins and themes, not WordPress core. Many have been patched. But the aggregate number represents something that matters to organizations evaluating total cost of ownership: the surface area of historical risk. Every CVE is a disclosure, a patch cycle, a decision point for system administrators. At 18,005, those decision points have become a permanent operational burden.

0
Hugo total CVEs
Source: NVD/NIST (June 2026)
5,870
Next.js commits/year
Source: GitHub API (June 2026)

The Operational Cost

For organizations running WordPress, the cost is not the CVEs themselves. It is the process around them. Each vulnerability requires assessment: does it affect our configuration? Is the patch compatible with our plugins? Can we deploy during business hours? For a platform with 18,005 historical CVEs, this process is not occasional — it is continuous. Security teams monitoring WordPress installations are not protecting a website. They are operating a vulnerability management program.

The question for budget owners is not whether WordPress can be secured. With sufficient investment in WAFs, plugin auditing, patch management, and security monitoring, any platform can be hardened. The question is whether that investment makes sense when alternatives exist that require a fraction of the security overhead. Hugo's zero CVEs are not a marketing claim. They are a line item that does not appear in the security budget.

WordPress remains functional. Millions of sites run on it without incident. But functionality and security cost are different metrics. A platform that accumulates vulnerabilities faster than it ships features has shifted the cost of ownership from development to defense. That shift is visible in the data, and it compounds annually.

39
FastAPI total CVEs
Source: NVD/NIST (June 2026)
21,204
WordPress GitHub stars
Source: GitHub API (June 2026)
Share this insight