We track 52,174 plugins and 8,022 themes in our database. Across that entire ecosystem, we've catalogued 34,951 vulnerabilities. That's not a projection or an estimate — that's the actual CVE count right now. If you're running a WordPress site and you're not paying attention to plugin security, this article is for you.
Let's look at what the data actually shows.
The Severity Breakdown
Most vulnerabilities aren't the end-of-the-world kind. Here's how the 34,951 CVEs break down by severity:
- Critical: 2,479 (7%)
- High: 6,770 (19%)
- Medium: 25,563 (73%)
- Low: 139 (<1%)
The medium category dominates because most XSS bugs — more on those in a second — land at CVSS 6.x. That said, 2,479 critical CVEs is nothing to shrug at. And some of the recent criticals are the kind that make you want to take a long walk outside.
What's Actually Being Exploited: The Vulnerability Types
XSS Is Absolutely Everywhere
Cross-Site Scripting accounts for 15,036 CVEs — nearly 43% of everything in the database. It's the undisputed king of WordPress vulnerabilities, and that's been true for years.
Most of these are Stored XSS bugs requiring Contributor-level access, which sounds low-risk until you remember that many WordPress sites let registered users post content. A malicious Contributor injecting a script that fires for admins can escalate to a full site takeover. It happens.
Missing Authorization: The Quiet Killer
With 5,031 CVEs, missing authorization is the second most common class. These bugs let attackers call endpoints or perform actions they shouldn't be able to — sometimes without any authentication at all. The W3 Total Cache <= 2.8.1 Missing Authorization bug is a clean example: unauthenticated users could deactivate the plugin entirely or toggle extensions.
CSRF: Still Alive After All These Years
4,693 CVEs involve Cross-Site Request Forgery. These bugs trick logged-in users into performing actions they didn't intend to — changing settings, deleting content, you name it. Nonce checks prevent them. A lot of plugins skip the nonce checks.
SQL Injection: Lower Volume, Higher Damage
SQLi sits at 2,354 CVEs. Fewer bugs, but the potential damage is much higher — database dumping, credential theft, full data exfiltration. The good news is that prepared statements are increasingly common in plugin code. The bad news is "increasingly common" still leaves plenty of gaps.
The Ugly Five: RFI, File Upload, Info Disclosure, Deserialization, Path Traversal
Rounding out the top ten:
- PHP Remote File Inclusion: 1,271 CVEs
- Unrestricted File Upload: 964 CVEs
- Sensitive Information Disclosure: 907 CVEs
- Deserialization: 712 CVEs
- Path Traversal: 645 CVEs
Unrestricted file upload and deserialization deserve special attention because they're frequently the vector for remote code execution — the worst outcome you can have.
Which Plugin Categories Keep Showing Up
Contact Forms: The Most Consistently Broken Category
No other plugin category produces as many high-severity vulnerabilities as contact forms. The reason is pretty obvious in hindsight: form plugins accept untrusted input, process it server-side, store it in the database, and often expose REST or AJAX endpoints. That's a lot of attack surface.
Ninja Forms leads the all-time count at 75 CVEs (security score: 76/100), with a recent string of information disclosure bugs. CVE-2026-2268 let anyone dump submission data without authentication (CVSS 7.5). Before that, CVE-2025-9083 was an unauthenticated PHP Object Injection at CVSS 8.1. The developer's average patch time sits at over 1,000 days historically — though recent patches have been much faster.
Forminator has 36 CVEs. Fluent Forms has 27. Even the smaller players aren't clean — NEX-Forms has 30 CVEs despite only 7,000 active installs.
The worst recent example isn't in our plugin database because it's a premium product: Everest Forms Pro got hit with CVE-2026-3300 — unauthenticated Remote Code Execution via the calculation field, CVSS 9.8. Patched in 24 hours, but if you were running an unpatched version, anyone on the internet could execute arbitrary code on your server.
Kali Forms (20,000 installs) had the same problem: CVE-2026-3584 — unauthenticated RCE via form_process, also CVSS 9.8, patched within a day.
And Contact Form by Supsystic (7,000 installs) picked up a Server-Side Template Injection bug in its prefill functionality (CVE-2026-4257, CVSS 9.8). No auth required.
Cache Plugins: High Install Counts Make These Extra Painful
Cache plugins are installed on millions of sites, so a single critical bug has massive reach.
W3 Total Cache (900,000 installs, security score: 75/100) has had 29 CVEs and collected some genuinely bad ones lately. CVE-2026-27384 was unauthenticated arbitrary code execution at CVSS 9.8 — fixed in v2.9.2 after 11 days. Then just days ago, CVE-2026-5032 exposed security tokens via the User-Agent header (CVSS 7.5), patched in v2.9.4. The BoldGrid team's historical average patch time is 817 days, though recent turnarounds have been much better.
WP Fastest Cache (1,000,000 installs) carries 35 CVEs and a security score of 76. WP Super Cache actually looks decent by comparison — 12 CVEs, score of 95, and no new vulnerabilities since 2022.
SEO Plugins: High Installs, Manageable Track Records
SEO is a category where install counts are enormous but the security record is actually not terrible.
Yoast SEO (10,000,000 installs) has 18 historical CVEs and a score of 89. Rank Math (3,000,000 installs) has 20 CVEs and scores 86. All in One SEO (3,000,000 installs) has 26 CVEs and scores 82. None of these have unpatched vulnerabilities right now, and the last critical bugs in this category are old. SEOPress is the standout with a score of 94 and its last vulnerability over a year ago.
Page Builders and Their Add-ons: Volume from Attack Surface
Elementor itself (10,000,000 installs) scores 88 with 46 historical CVEs — that's actually a reasonable track record for a plugin that large. The add-on ecosystem is messier. Essential Addons for Elementor (2,000,000 installs) has 56 CVEs and scores 76. Premium Addons for Elementor does better: 35 CVEs but a score of 95, and all patched.
The Unpatched Problem
Right now there are active critical vulnerabilities with no fix available. A few from the past 90 days:
- ACPT Pro <= 2.0.47 — Unauthenticated RCE (CVE-2026-25470), CVSS 9.8. No patch.
- FormGent <= 1.4.2 — Unauthenticated arbitrary file deletion (CVE-2026-22460), CVSS 9.1. No patch.
- WeDesignTech Ultimate Booking Addon <= 1.0.1 — Authentication bypass (CVE-2026-27389), CVSS 9.8. No patch.
If you're running any of these, the answer is to deactivate and remove the plugin until a fix ships. There's no safe way to run a plugin with a known unauthenticated RCE and no patch.
What You Should Actually Do
Audit your installed plugins. Go through your list and check each one against our database. Pay special attention to form plugins, cache plugins, and anything that accepts user input.
Set up automatic updates for security releases. Most hosts support this. Most WordPress sites don't have it turned on.
Watch the unpatched filter. Our vulnerability search lets you filter to unpatched-only bugs. Check it weekly if you run multiple sites. Unpatched critical vulnerabilities are the ones attackers are actively targeting.
Be skeptical of low-install-count plugins. The worst recent bugs — unauthenticated RCE, privilege escalation — frequently appear in plugins with under 1,000 installs. Small plugins get less scrutiny, and their developers sometimes abandon them without notice.
Don't assume a high install count means safety. W3 Total Cache has 900,000 installs and just had a CVSS 9.8 unauthenticated code execution bug. Popular doesn't mean secure.
The ecosystem is big, the CVE count is real, and the attack surface isn't shrinking. Keeping up with it doesn't require paranoia — just consistent, boring hygiene.