159 Vulnerabilities in Seven Days. A Single Week in the WordPress Plugin Bin.

Every Wednesday, Wordfence publishes a weekly vulnerability bulletin. It is, on paper, a public service: a tidy table of what broke, who broke it, and which version finally stopped it bleeding. In practice it is the most damning ongoing document in the WordPress universe — a rolling, time-stamped admission that the world's most popular CMS is held together by goodwill, gravatar avatars, and the unpaid labour of vulnerability researchers in three different time zones. The bulletin for the week of 1 to 7 June 2026 is not unusual. That is precisely the problem.

The numbers, served straight.

In a single week, Wordfence logged 159 vulnerabilities across 141 WordPress plugins and 2 themes. Ninety-six researchers contributed. Nine of those flaws were rated Critical. Fifty-three were High. Ninety-six were Medium. One was Low, presumably out of politeness. Of the 159, one hundred and thirty-four were patched. Twenty-five were not — meaning the disclosure went out and the fix did not, and somewhere in the world a maintainer is on holiday, ill, dead, or simply finished with it.

Read those figures again, slowly. One hundred and fifty-nine new ways to compromise a WordPress site, surfaced in seven days, in plugins people are actively running on live commercial websites right now. Not in obscure abandoned forks from 2014. In the plugin directory. In the install base. In the ecosystem that the WordPress Foundation insists is 'thriving'.

What 159 looks like, by type.

Wordfence categorises by CWE — the standard taxonomy of software defects — and the breakdown for the week reads like a security textbook's table of contents:

• →43 Cross-Site Scripting
• →28 Missing Authorization
• →17 Deserialization of Untrusted Data
• →16 SQL Injection
• →9 Cross-Site Request Forgery
• →9 Path Traversal
• →7 Sensitive Information Exposure
• →6 Authorization Bypass via User-Controlled Key
• →5 Code Injection
• →4 Incorrect Privilege Assignment
• →2 Arbitrary File Upload
• →1 SSRF, 1 Embedded Malicious Code, and a long tail of authentication and authorisation failures.

These are not exotic flaws. There is no novel kernel-level cryptanalysis here. Cross-site scripting is the bug developers were told to stop shipping in 2005. SQL injection was a punchline in 2010. Deserialisation of untrusted data — seventeen separate instances in one week — is the kind of mistake that gets a junior developer a stern code review at any company that survived the last decade. The WordPress plugin economy is, in 2026, shipping textbook vulnerabilities at the rate of roughly twenty-three per day, every day, in perpetuity.

The one flaw that earned its own firewall rule.

Out of 159, Wordfence's threat team singled out exactly one for emergency firewall protection: an Unauthenticated Authentication Bypass in UpdraftPlus — Backup & Migration up to version 1.26.4, via the UpdraftCentral udrpc channel. UpdraftPlus is one of the most-installed backup plugins on the planet, sitting on millions of sites whose owners think they have done the responsible thing by installing a backup plugin. The vulnerability lets an unauthenticated attacker bypass authentication — that is the entire sentence — and pivot into the central management channel that, by design, has god-mode over those sites. Free Wordfence users will receive that firewall rule thirty days late, which is exactly the window an attacker needs.

Ninety-six researchers. None of them paid by WordPress.

Scroll the researcher list and you will see ninety-six names — Frissi0n, daroo, Jakub Herman, dodoh4t, san6051, kai63001, swat, h0xilo, VanTastic, hhhai, on and on — most of them with two-letter handles and gravatar defaults, working through Patchstack and Wordfence bug bounty programmes for token rewards. These are the people keeping the WordPress install base from full collapse. They are not employees of Automattic. They are not funded by the WordPress Foundation. They are private security researchers, many in Southeast Asia, treating the WordPress plugin directory as a permanent open-air bug bounty because that is, functionally, what it is.

Imagine running any other piece of infrastructure on this model. Imagine your bank explaining that its core systems are kept solvent by ninety-six strangers on the internet who file findings every week and hope the vendor pushes a patch before someone weaponises the proof of concept. You would close the account that afternoon. WordPress runs roughly forty per cent of the web on exactly this arrangement.

Twenty-five unpatched. Forever, probably.

The twenty-five unpatched vulnerabilities in this week's report are the most honest part of the document. They represent plugins whose authors have either gone silent, gone bankrupt, gone freemium-and-stopped-caring, or never had a release process to begin with. Wordfence discloses anyway, because withholding the disclosure would mean leaving site owners ignorant of a live risk on their own server. The plugin stays in the directory. The install count keeps climbing. The fix never arrives. Multiply that by every week of the year and you have the actual state of the WordPress supply chain: a directory where 'available' and 'maintained' are no longer the same word, and where the gap between disclosure and patch is, increasingly, infinite.

The absurdity, stated plainly.

One week. One hundred and fifty-nine vulnerabilities. Nine of them critical. Twenty-five of them with no fix. One emergency firewall rule. Ninety-six unpaid researchers. Forty-three cases of a bug class that has been solved, on paper, for two decades. This is not a security report. It is an obituary serialised across fifty-two weeks a year, and the WordPress ecosystem has so thoroughly normalised it that the bulletin gets a polite tweet, a Hacker News thread of seven comments, and disappears.

Anyone still recommending a fresh WordPress build to a small business client in 2026 — with a stack of seventeen plugins, three of which were last updated in 2023 — needs to read this bulletin top to bottom and explain, in writing, why the client's brochure site is being built on a platform that ships textbook vulnerabilities by the bucket every Wednesday. Because that is the deal. That is what the install includes. The CMS, the page builder, the SEO plugin, the backup plugin, the form plugin, the cache plugin, and a permanent weekly chance that one of them is the next CVE in the Wordfence table.

“159 vulnerabilities in seven days is not a bad week. It is a normal week. That is the problem.”

The exit is not a better plugin. The exit is not a paid security service that papers over the model. The exit is off the platform — onto a stack where the dependencies are auditable, the attack surface is a fraction of the size, and the weekly bulletin from your vendor is not a public confession that the supply chain has fallen off a cliff. Source: Wordfence Intelligence Weekly WordPress Vulnerability Report, 1–7 June 2026.