WordPress Plugin Vulnerabilities Surged 42% Last Year. Most Hosts Did Nothing About It.

The biggest threat to your WordPress site is not some sophisticated hacking group. It is the plugins you installed eighteen months ago and forgot about, sitting on a hosting platform with no operations team watching.

Patchstack released their annual State of WordPress Security report last month, covering the full 2025 data set. The numbers should concern every business owner running WordPress, but the real story is not the vulnerabilities themselves. It is what happens, or what fails to happen, after they are discovered.

What Patchstack Found

According to Patchstack's 2026 whitepaper, researchers identified over 11,300 new vulnerabilities in the WordPress ecosystem last year, up roughly 42% on the previous year's count of just under 8,000 ^[1]. Of those, around 36% represented a genuine, exploitable threat requiring immediate mitigation. Highly exploitable vulnerabilities, the kind that can be used in automated mass attacks, increased by over 100% year on year.

Plugins account for somewhere between 96% and 97% of all WordPress vulnerabilities. Not themes. Not WordPress core. Plugins. The contact forms, booking systems, SEO tools, and cookie consent banners that business owners install and then stop thinking about.

The SolidWP weekly vulnerability report from 1 April 2026 confirms the trend has not slowed: 225 new vulnerabilities disclosed in a single week, 203 of them in plugins, with 91 remaining unpatched at the time of disclosure ^[2].

That last number is the one worth paying attention to.

The Five-Hour Window

Here is where the operational reality gets uncomfortable. Patchstack's data shows that the median time to first exploitation of a disclosed vulnerability is roughly five hours ^[1]. Twenty percent of heavily exploited vulnerabilities were targeted within six hours of disclosure. Seventy percent within seven days.

Reviewing our own monitoring dashboards this morning, the pattern holds. A vulnerability gets publicly disclosed on a Tuesday morning. By lunchtime, automated bots are scanning every WordPress site on the internet looking for that specific weakness. If your site runs the affected plugin and nobody has applied the patch or deployed a virtual mitigation rule, your site is exposed before you have finished your second cup of tea.

Consider a typical scenario, one we see variations of regularly. A Waterford manufacturer runs a trade catalogue site. They installed a popular form plugin two years ago. It works. They have not thought about it since. A critical vulnerability drops at 9am, and by early afternoon their site is redirecting visitors to a phishing page. They find out the next morning when a customer rings to ask why their browser flagged the site as dangerous.

That is a pattern, not a one-off.

Nearly Half Go Unpatched

The Patchstack report highlights something our operations team has tracked for years: roughly 46% of reported vulnerabilities did not receive a developer patch before public disclosure ^[1]. Nearly half of all discovered vulnerabilities were known to the public, and to attackers, before any fix existed.

For broader context, Verizon's 2025 Data Breach Investigations Report found that exploitation of vulnerabilities as an initial attack vector surged around 34% year on year, with the median ransom demand sitting at approximately USD 115,000 ^[3]. Small and medium-sized businesses bear a disproportionate share of that burden, largely because they lack the dedicated security operations to respond quickly.

The EU is responding. As of 2026, every commercial WordPress plugin available to European users is required by law to have a vulnerability disclosure programme in place ^[1]. That is progress. But a disclosure programme does not patch the vulnerability. It only ensures someone reports it. The gap between reporting and fixing remains dangerously wide.

Why Your Hosting Provider Matters More Than You Think

If your WordPress site sits on a standard shared hosting plan, the security model is simple: you are on your own. The host provides a server. Whether the software running on that server is patched, monitored, or protected is entirely your responsibility.

A properly managed WordPress platform changes that equation. An operations team reviews vulnerability disclosures as they drop, deploys virtual patches before the plugin developer has even acknowledged the issue, runs automated malware scans across every site, and verifies that backups are restorable when something goes wrong.

That is what Web60's enterprise-grade Irish infrastructure delivers: server-level security hardening, fail2ban intrusion prevention, automatic malware scanning, and nightly backups with verified restores. All included for EUR 60 per year. No add-on security packages, no per-scan charges.

One important caveat. No managed host catches everything instantly. If an attacker discovers a zero-day vulnerability that nobody has reported yet, there is a window of exposure regardless of your hosting setup. What separates a managed platform from a self-managed one is the size of that window and the speed of the response when something is detected.

For businesses with large, complex WordPress deployments and their own dedicated security operations centre, running your own infrastructure and managing your own patching pipeline makes sense. For everyone else, an operations team watching your site around the clock is not a luxury. It is a baseline.

What This Means for Your Business

If you run a WordPress site for your business, the Patchstack report points to three practical steps.

First, audit your plugins. If you have plugins installed that you are not actively using, deactivate and remove them. Every plugin is an attack surface. We have written about how plugin auto-updates can introduce their own risks, but having fewer plugins to manage in the first place is the most effective risk reduction.

Second, check whether your hosting provider has proactive security monitoring. Not a basic firewall, but active vulnerability monitoring, virtual patching, and malware scanning. If the answer is "I do not know," that is your answer.

Third, verify your backups. Not that they exist, but that they actually restore. Our WordPress Security and Backup Guide covers what proper backup verification looks like in practice. A backup you have never tested is not a backup. It is a hope.

Conclusion

The plugin vulnerability numbers will keep climbing. That is the reality of an ecosystem with tens of thousands of plugins maintained by independent developers of wildly varying commitment levels. You cannot control whether a plugin developer patches a vulnerability in five hours or five months.

What you can control is whether someone is watching when it matters.

Sources