WordPress Security Statistics
Our Real-Time Database

Thousands of WordPress vulnerabilities analyzed, classified and continuously monitored

Key Figures

29,365

WordPress CVEs tracked

141,793

Plugins & themes monitored

33.3%

rated high or critical severity

101

Actively exploited CVEs (KEV)

112,217

Plugins monitored

29,576

Themes monitored

580

WordPress core CVEs

802

WordPress versions indexed

WordPress CVE Evolution by Year

242

2017

247

2018

973

2019

272

2020

1,033

2021

1,749

2022

4,068

2023

8,597

2024

10,324

2025

834

2026

×10

WordPress CVEs have increased by a factor of 10 between 2021 and 2025

CVSS v3 Severity Breakdown

Critical (9.0+)

2,025 CVEs 7.1%

High (7.0-8.9)

7,427 CVEs 26.2%

Medium (4.0-6.9)

18,675 CVEs 65.8%

Low (< 4.0)

272 CVEs 1%

Most Common Vulnerability Types

Cross-Site Scripting (XSS)
CWE-79

12,364

Cross-Site Request Forgery (CSRF)
CWE-352

3,854

Missing Authorization
CWE-862

3,366

SQL Injection
CWE-89

1,909

Unrestricted Dangerous File Upload
CWE-434

669

Most Vulnerable WordPress Plugins

1. Royal Addons for Elementor – Addons and Templates Kit for Elementor
royal-elementor-addons

62 CVEs

2. Ninja Forms – The Contact Form Builder That Grows With You
ninja-forms

61 CVEs

3. GiveWP – Donation Plugin and Fundraising Platform
give

60 CVEs

4. Download Manager
download-manager

57 CVEs

5. Essential Addons for Elementor – Popular Elementor Templates & Widgets
essential-addons-for-elementor-lite

55 CVEs

Protect your WordPress site before it's too late