The Repository

Category: Security

  • Patchstack Whitepaper: WordPress Plugin Vulnerabilities Rise by 34% as CRA Compliance Deadline Nears

    Patchstack Whitepaper: WordPress Plugin Vulnerabilities Rise by 34% as CRA Compliance Deadline Nears

    Patchstack’s State of WordPress Security in 2025 report highlights another record-breaking year for reported WordPress vulnerabilities and warns that the community is not ready for the European Union’s new Cyber Resilience Act (CRA).

    In 2024, security researchers uncovered 7,966 new vulnerabilities in the WordPress ecosystem—a 34% increase from the previous year, averaging 22 vulnerabilities per day. Plugins continue to dominate as the primary weak point, accounting for 96% of all reported issues. Notably, 43% of the vulnerabilities required no authentication to exploit, leaving websites particularly vulnerable to automated attacks.

    Oliver Sild, CEO of Patchstack, told The Repository that the most critical takeaway from this year’s report is that developers should expect more scrutiny and vulnerability reports than ever before.

    “Plugin developers should understand there are more eyes than ever on the security of their plugins,” Sild said. “Every developer should anticipate receiving a vulnerability report next year. What’s crucial is how they handle these reports and whether they have proper vulnerability disclosure programs in place. This will significantly influence end-user trust.”

    The report reveals a troubling gap in security practices: more than half of the plugin developers contacted by Patchstack in 2024 failed to release a fix before public disclosure. In total, 33% of all reported vulnerabilities remained unpatched when publicly disclosed, leaving thousands of websites exposed.

    Sild attributed the delays to a lack of formal processes for handling security reports, which are often routed through customer support channels—sometimes inaccessible without a premium license. “There are also a lot of plugins that aren’t actively maintained anymore,” he added.

    The problem of abandoned plugins continues to grow. In 2024, Patchstack’s bug hunting community contributed to the removal of 1,614 vulnerable plugins and themes from WordPress.org, yet many remain installed on live websites.

    The report dispels a common misconception that popular plugins are inherently safer. Over 1,000 vulnerabilities were discovered in plugins with more than 100,000 active installs, including severe flaws in popular plugins such as LiteSpeed Cache, Really Simple SSL, Better Search Replace, and The Events Calendar. In 2024, Patchstack paid out its largest-ever bounty—$16,400—to researcher John Blackbourn for discovering a critical privilege escalation vulnerability in LiteSpeed Cache.

    Sild said relying on plugin updates alone was no longer enough, pointing to a Remote Code Execution vulnerability in Bricks Builder that was exploited within hours of public disclosure. Many generic Web Application Firewalls (WAFs), including Cloudflare and ModSec, failed to stop the attack due to limited visibility into WordPress-specific threats.

    “Patchstack vPatching is just taking away that exposure when updates are not available and to keep the website protected before it has been updated to a patched version,” Sild said. “It’s all about the speed to mitigation, and mitigating security vulnerabilities is one of the most important thing because up to a half of all WordPress websites that get hacked, it’s caused by those vulnerabilities.”

    The CRA, Sild noted, could become a “GDPR moment” for WordPress developers, forcing a cultural shift toward formalized security practices across the ecosystem. To help developers ahead of its enforcement in 2026, Patchstack launched a free managed Vulnerability Disclosure Platform (mVDP) in September 2024, supported by the European Commission. The initiative helps plugin developers streamline security reporting and meet new regulatory obligations.

    Sild argues WordPress leadership has an opportunity—and a responsibility—to lead by example. “I think WordPress has a great opportunity to be a trailblazer, to show how the open source ecosystem can adopt the Cyber Resilience Act and take software and supply chain security to a more mature level,” he said. “It’s not just an opportunity to improve WordPress’s reputation, but it’s also a necessity.”

    The report flags growing community concerns around supply chain governance, as the ongoing dispute between WP Engine and Automattic has exposed risks beyond code—highlighting how trust and transparent security processes are now critical to the project’s long-term stability.

    Patchstack is already working alongside key figures in the WordPress security community to address these challenges. Last weekend, Néstor Angulo de Ugarte, Patchstack’s Head of Engineering and Security, and Blackbourn, who’s the WordPress Security Team rep and Director of WordPress Security at Human Made, led a project at the CloudFest Hackathon focused on strengthening the supply chain for open source software.

    Looking ahead, the report warns that AI is reshaping the threat landscape. Patchstack predicts that AI-powered tools will accelerate the exploitation of vulnerabilities, including those previously considered low priority, by enabling faster creation of attack scripts and more advanced malware.

    Disclaimer: Patchstack is a Community Sponsor of The Repository. As per our Advertising Policy, Patchstack did not influence the reporting of this story.

  • ACF patches vulnerability following Automattic disclosure misstep

    ACF patches vulnerability following Automattic disclosure misstep

    ACF developers at WP Engine have patched a vulnerability affecting both the free and Pro versions of the popular plugin after Automattic broke with established security reporting practices and disclosed the issue on X.

    ACF 6.3.8 patches an arbitrary code execution vulnerability involving Post Type and Taxonomy metabox callbacks where a user with ACF admin permissions could potentially exploit another admin user’s permissions. This scenario, although unlikely, could occur either when an admin user attacks another with permissions to create or modify posts or in a Multisite setup where a site admin attempts to exploit a super admin to modify or add posts.

    Patchstack published an advisory about the vulnerability in its database today, noting that the issue poses a low-severity risk and is unlikely to be exploited.

    With over 2 million active installations, ACF is a popular tool among WordPress developers and has been caught in the crossfire as the conflict continues between Automattic and WP Engine. WP Engine remains blocked from accessing WordPress.org, and ACF developers are unable to access their accounts to push updates to the free version that’s hosted in the plugin repository.

    Despite the controversy, ACF developers moved quickly to release patched versions of the free and Pro plugins directly to users via a new update mechanism, announced last week, that avoids reliance on updates via WordPress.org.

    A patched copy of ACF was also provided to the WordPress Security Team, and it was uploaded to WordPress.org today. Core committer Aaron Jorbin posted on X that he was “Happy to see that a fix for the security issue with @wp_acf has been committed to WordPress.org and is flowing out to sites.”

    The vulnerability came to light on Saturday when Automattic posted on X that the company’s security team had reported a vulnerability in ACF to the plugin’s developers and owner, WP Engine. Automattic also warned that the rival hosting company had 30 days to issue a fix before public disclosure.

    Matt Mullenweg, Automattic’s CEO, reshared the post and asked his followers for suggestions on the best alternatives to ACF, adding, “I suspect there are going to be millions of sites moving away from it in the coming weeks.” 

    The posts prompted an immediate backlash from security experts, including WordPress Core Security Team lead John Blackbourn, who said that while Automattic had responsibly disclosed the vulnerability in ACF, the company has breached cybersecurity company Intigriti’s code of conduct by “irresponsibly announcing it publicly.” Blackbourn promised to “work my damned hardest to ensure that the fix gets shipped to dotorg if it affects the free version of ACF.”

    WP Engine works with Intigriti as its vulnerability disclosure program (VDP) provider.

    Both Automattic and Mullenweg’s posts were quickly deleted, but not before a further backlash in Post Status Slack, where Blackbourn and Patchstack CEO Oliver Sild criticized Mullenweg for publicly disclosing the existence of the vulnerability in ACF before a patch was available.

    “Disclosing the existence of a vulnerability mid-process is not part of a responsible disclosure ethos. In the infosec community, such a leak is considered a TI (threat intelligence) leak, which hackers are often looking for,” posted Sild. He stressed the importance of adhering to responsible disclosure practices, adding that validation and verification should occur before a coordinated disclosure—typically after a patch is released.