A new report about the state of WordPress security called attention to the hidden threat posed by premium plugins and to the fact that hackers are increasingly exploiting vulnerabilities before many sites can patch them.
Security Is Increasingly A Race Against Time
The Patchstack WordPress security company’s State of WordPress Security report shows that hackers are exploiting the gap between the time a vulnerability is discovered and a site gets around to patching it. The traditional assumption is that site owners have time to evaluate, patch, and deploy fixes, but that’s increasingly no longer the case.
The timeline between discovery and site patch is being compressed by faster exploitation, sometimes almost immediately after disclosure. Defensive processes that depend on timely patching become a race against time when exploitation begins within hours.
The Patchstack report explains:
“When analysing the speed at which attackers weaponize new vulnerabilities, we found that approximately half of high impact vulnerabilities get exploited within 24 hours.
When we account for how intense the exploitation was (by weighting based on observed activity), then the weighted median time to first exploit is 5 hours. This suggests that the most heavily targeted vulnerabilities are typically attacked within hours, not days.”
Site owners should integrate this knowledge into their security workflow to minimize the time between receiving notice of a vulnerability and patching it.
The Scale of Exposure Is Expanding
The volume of disclosed vulnerabilities rose sharply in 2025. Most of those vulnerabilities were found in plugins rather than WordPress core, placing the majority of exposure in the extension layer maintained by thousands of independent developers.
At the same time, the report identifies additional pressures affecting WordPress security:
- Limited visibility into premium marketplace components
- Rapid exploitation timelines following disclosure
- Multi-stage, persistent attack behavior after compromise
An expanding application layer that includes custom-coded and third-party software libraries or packages (like JavaScript or PHP components)
The report explains:
“Overall 11,334 new vulnerabilities were found in the WordPress ecosystem in 2025 – that’s a 42% increase compared to 2024.
Of all new vulnerabilities found, 4,124 (36%) represented an actual threat and were serious enough to require RapidMitigate protection rules.
1,966 (17%) vulnerabilities had a high severity score, meaning they were likely to be exploited in automated mass-scale attacks.
In fact, more high-severity vulnerabilities were discovered in the WordPress ecosystem in 2025 than in the previous two years combined. This increase largely came from premium components on marketplaces like Envato, and highlights the security visibility problem of such components and marketplace. Because these components are not readily available to security researchers, it is harder to find security issues in them.”
The findings show that risk is distributed across both the free plugin ecosystem and premium marketplace components, where limited visibility has made flaws harder to detect.
Premium Components Show High Exploitability Rates
Premium marketplace plugins and themes often receive less independent scrutiny due to limited code access. But fewer discovered vulnerabilities do not necessarily mean lower risk. Patchstack’s data shows that a high percentage of vulnerabilities found in premium plugins and themes were exploitable in real-world attacks.
Patchstack explains:
“To understand the threat landscape of premium plugins and themes, last year we conducted focused research on premium marketplaces such as Envato.
Overall we received 1,983 valid vulnerability reports for Premium or freemium components, making up 29% of total reports.
59% of those were high Patchstack Priority vulnerabilities that can be used in automated mass attacks.
A further 17% had medium Patchstack Priority, meaning they can be exploited in more targeted attacks.
That means 76% of vulnerabilities found in Premium components were exploitable in real life attacks.
Furthermore, our Zero Day program found 33 highly critical vulnerabilities in Premium components, compared to only 12 in free components.”
The takeaway is that a high percentage of vulnerabilities found in premium components were exploitable in real-world attacks.
Delays In Patch Availability
Software updates are a cornerstone of WordPress plugin and theme security, but they depend on fixes being available when vulnerabilities are disclosed, which is not always the case. Patch delays leave site owners exposed during the period when exploitation interest is highest.
Patchstack shares that plugin and theme developers failed to provide a timely fix for 46% of vulnerabilities.
Infrastructure Defenses Block Only a Minority of Attacks
Hosting providers rely on web application firewalls and similar defenses, but testing showed those measures blocked only a minority of WordPress vulnerability attacks.
Patchstack shares the results of their testing:
“In a large-scale pentest of popular web hosting companies, only 26% of all vulnerability attacks were blocked.”
Older Vulnerabilities Remain Active Targets
A startling finding is that attackers continue to exploit older vulnerabilities. Patchstack shares that only four of the top ten vulnerabilities that were targeted the most were published in 2025, the rest were older.
“When looking at top ten vulnerabilities that were being targeted most by attackers, we see that only four were published in 2025.”
They list the following older versions of plugins that sites have not updated to safe versions:
- WordPress LiteSpeed Cache Plugin <= 5.7 (2024)
- WordPress tagDiv Composer Plugin < 4.2 (2023)
- WordPress Startklar Elementor Addons Plugin <= 1.7.13 (2024)
- WordPress GiveWP Plugin <= 3.14.1 (2024)
- WordPress LiteSpeed Cache Plugin <= 6.3.0.1 (2024)
- WordPress WooCommerce Payments Plugin <= 5.6.1 (2023)
Post-Compromise Activity Emphasizes Persistence
Once access is gained, attackers increasingly seek to maintain access after the initial compromise rather than deploy one-time payloads.
Patchstack explains:
“This sustained increase suggests attackers are moving beyond opportunistic, one-off compromises. Instead, they’re investing in persistent infrastructure—planting uploaders that enable multi-stage attacks and long-term access to compromised sites.
Persistent infrastructure means attackers aren’t just exploiting vulnerabilities once and moving on. They’re establishing footholds that allow them to return, deploy additional payloads, and maintain access even after initial infections are cleaned.”
Modern malware frequently embeds itself inside legitimate files or uses runtime techniques to avoid detection. This makes cleanup more difficult than simply deleting obviously malicious files.
The 2026 Outlook
Patchstack projects that the code running WordPress sites will continue expanding beyond traditional packaged components. Securing WordPress environments now requires accounting for code that lives outside standard plugin and theme distributions.
The expanding attack surface includes custom-built functionality, third-party code added through JavaScript or PHP components, and AI-generated code, all of which may not pass through normal plugin or theme update channels. The expanding attack surface includes:
- Custom-coded plugins developed for individual sites or agencies
- JavaScript and PHP packages pulled into projects as dependencies
- AI-generated code used to build features or entire front ends
Securing WordPress now requires visibility into custom-coded and generated components, not just installed plugins and themes.
Featured Image by Shutterstock/Kues
