- How many CVEs does WordPress have?
- WordPress has 739 published CVE records since 2005, including 38 in the last two years.
- How many WordPress CVEs are in CISA KEV?
- Yes — 2 of WordPress's CVEs are listed in CISA's Known Exploited Vulnerabilities catalog, confirmed exploited in the wild and carrying a CISA remediation deadline.
- Which WordPress products have the most CVEs?
- The WordPress products with the most published CVEs are WordPress, wordpress-develop, wordpress mu, adserve, sniplets plugin.
- What are the most common weakness types in WordPress CVEs?
- WordPress's CVEs most often map to these CWE weakness types: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')), CWE-862 (Missing Authorization), CWE-352 (Cross-Site Request Forgery (CSRF)), CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).
- Are there public exploits for WordPress vulnerabilities?
- Yes — 274 of WordPress's CVEs have a known public exploit.
- How many critical WordPress vulnerabilities are there?
- WordPress has 48 critical and 161 high-severity CVEs.
- What is the average severity of WordPress CVEs?
- The average CVSS base score across WordPress's scored CVEs is 6.0.