What EPSS Actually Measures
CVE counts tell you how many vulnerabilities a framework has. CVSS scores tell you how bad each one could be in theory. Neither tells you what a CISO actually needs to know: which ones will be exploited in the real world, against real targets, in the next 30 days. That is what EPSS — the Exploit Prediction Scoring System — measures. Developed by FIRST.org and based on observed exploit activity, EPSS assigns each CVE a probability score from 0 to 1. A score of 0.98 means: there is a 98% chance this vulnerability will be exploited in the wild within 30 days.
WordPress's highest EPSS score across its vulnerability catalog is 0.98. That is the highest of any framework WebPulse tracks. It is not a theoretical risk assessment. It is a statistical prediction grounded in real-world exploit telemetry.
The CISA Confirmation
EPSS predictions are validated by CISA's Known Exploited Vulnerabilities catalog — the definitive list of CVEs confirmed to be actively used in attacks. WordPress has 4 entries. Drupal has 5. Spring has 5. Magento has 3. These are not potential threats. They are confirmed, active attack vectors that federal agencies are required to patch under Binding Operational Directive 22-01.
The correlation between EPSS scores and KEV entries is not accidental. The frameworks with the highest exploit probability scores are the same ones appearing in CISA's catalog. Drupal's EPSS of 0.85 maps to 5 KEV entries. Magento's 0.97 maps to 3 KEV entries. WordPress's 0.98 maps to 4 KEV entries. When EPSS says a vulnerability is almost certain to be exploited, CISA's data confirms it already has been.
React's Outlier: EPSS 1.0
One data point stands out. React — a frontend framework with a fundamentally different attack surface than server-side CMS platforms — has the single highest EPSS score in the dataset: 1.0. Two React-related CVEs appear in the CISA KEV catalog. This is not because React is inherently less secure than Angular or Vue. It is because React's massive deployment footprint — powering the frontends of companies across every industry — makes any exploitable vulnerability a high-value target.
The lesson: EPSS scores are a function of both vulnerability severity and target value. WordPress scores 0.98 because it is everywhere and its vulnerabilities are accessible. React scores 1.0 because its deployment scale makes even a moderate vulnerability worth weaponizing. Both facts should inform infrastructure decisions.
The Frameworks Nobody Is Attacking
Eight frameworks in the WebPulse dataset have zero CISA KEV entries and EPSS scores near zero: Astro, FastAPI, Hugo, HTMX, Nuxt.js, SvelteKit, Gatsby, and Eleventy. The pattern is architectural. These are modern, API-first or static-site frameworks with minimal server-side attack surface. They do not ship admin panels, plugin systems, or database abstraction layers. They do not expose XML-RPC endpoints or file upload handlers.
For a CISO evaluating framework risk, EPSS provides the clearest available signal. Not how many CVEs exist, but how many will be used against you. By that measure, the legacy CMS platforms — WordPress, Drupal, Joomla, Magento — are not just historically vulnerable. They are actively, predictably, and measurably under attack.
