Critical vulnerabilities have been discovered in the WordPress core, plugins, and themes, affecting a significant number of websites across the ecosystem. The majority of these security issues are found in plugins and themes, while a smaller percentage impacts the core platform. These vulnerabilities present a serious risk to the security of affected sites.

Affected Systems:

• WordPress Core: A limited number of vulnerabilities were identified in the WordPress core.

• Plugins: 7,633 vulnerabilities, representing 96% of the total, were found in plugins.

• Themes: 326 vulnerabilities, accounting for 4% of the total, were discovered in themes.

Security Risks

The vulnerabilities found across WordPress core, plugins, and themes pose serious risks, including unauthorized access to sensitive data, privilege escalation, and remote code execution, which can lead to potential data breaches and website compromises.

For the full list of the different security patches released, please refer to Wordfence vulnerability advisory.

Recommended Actions

The National Cyber Security Authority (NCSA) strongly recommends to system administrators to:

• Follow and put in place the security updates shared by Wordpress to lower the risk of this vulnerability.

• Apply the required and latest security updates as soon as possible.

• Before any update task, please ensure you have a recent backup that can easily be restored.

For further information and support, please contact NCSA by email at rwcsirt@ncsa.gov.rw or call us on 9009.

References

• https://www.wordfence.com/threat-intel/vulnerabilities/

• https://patchstack.com/whitepaper/state-of-wordpress-security-in-2025/

• 8,000 New WordPress Vulnerabilities Reported in 2024 - SecurityWeek

• Wordfence vulnerability advisory/