Nearly 42% of WordPress Plugins Are Immediately Exploitable — and AI is the Catalyst

Writer: Jordan Sprogis

Jordan Sprogis, Contributing Expert

Jordan Sprogis is a creative writer and tech researcher who has been working on online content for the better part of a decade. She holds a bachelor's degree in professional writing from Western Connecticut State University and has devoted much of her career to crafting content for various web verticals, including CyberSpyder and The Echo. Since joining HostingAdvice, Jordan has combined her storytelling ability with her fascination for advancements in technology to pen over 500 articles geared toward industry pros and newcomers alike.

Editor: Lillian Castro

Lillian Castro, Senior Editor

Lillian Castro brings more than 30 years of editing and journalism experience to our team. She has written and edited for major news organizations, including The Atlanta Journal-Constitution and the New York Times, and she previously served as an adjunct instructor at the University of Florida. Today, she edits HostingAdvice content for clarity, accuracy, and reader engagement.

Reviewer: Cristian Lopez

Cristian Lopez, News Manager

Cristian Lopez uses his Business Marketing background from the University of Illinois at Chicago to create comfortable environments for customers, clients, and colleagues to share their thoughts and ideas openly. From interviewing tech leaders to conducting UX market research projects, Cristian knows the importance of storytelling — a key variable for innovation and inspiration. His goal at HostingAdvice is to wow readers on the ever-evolving nature of the tech industry and bring his audience the most reliable and exciting content on all things hosting.

Follow the HostingAdvice team for a daily dose of tech news, trending IT discussions, and interviews with the web's most innovative technologists.
Follow Us:
2.7k
1k

No matter how much love WordPress gets, plugin vulnerabilities have always been a problem. And now they’re coming in faster than ever.

In just the first six months of 2025, there were 6,700 new vulnerabilities identified, with 41.5% of those immediately exploitable. That’s a major jump from 30.4% last year.

The reason is AI. Security research shows that automatic bots can scan thousands of sites in seconds — and they’re searching for exploitable things, like outdated plugins and weak configurations.

Roger Williams
Roger Williams, Kinsta

It’s why Roger Williams, Partnerships and Community Manager at Kinsta, told HostingAdvice that site owners need to stop treating plugin updates as an afterthought.

“Auto-updates are one of the simplest and most effective ways to reduce risk,” Williams said. “I’ve enabled them on my personal and client sites, and haven’t had issues. With WordPress 6.6 introducing auto-rollbacks for failed updates, the safety net is stronger than ever.”

If an auto-update fails, the auto-rollback feature automatically puts sites back to its previous version. It’s great for SMB clients who don’t have the time to manually check daily — and not a bad opportunity for a managed services package.

But even an automatic feature doesn’t fix everything. The rest of the job still falls to those actually running the infrastructure, and unfortunately for them, the clock starts ticking the moment a new vulnerability pops up.

AI Is in the Driver’s Seat

Old-school cyberattacks were effective, but slow. Even a skilled attacker might find and exploit a vulnerable plugin on a single target within a few hours, and mass campaigns could take weeks.

Now, instead of just probing one site at a time, bots can scan thousands of sites instantly. They can also adjust tactics mid-attack and mask their fingerprints faster than it takes many of today’s security tools to respond.

Plugins are responsible for nearly 90% of all WordPress vulnerabilities. Credit: Patchstack

Human Security found that web scanner bots are often the very first visitors to new sites, probing for vulnerabilities before any real users arrive. In some honeypot tests, they also accounted for up to 100% of traffic on certain days.

But this should come as no surprise when Cloudflare estimates that up to 40% of all internet traffic now belongs to bots.

“That combo of sheer scale and shape-shifting makes these attacks tougher to spot,” Williams said.

If AI is the driver going 100 mph in an alleyway and hosts are the passengers trying to regain control, the best chance of taking the wheel is with defenses that are layered and fast, Williams said.

“Roll out fresh WAF rules the moment a plugin flaw hits the wire, watch for weird logins or sudden file-writes, and keep every site in its own sandbox so trouble can’t hop the fence,” he said.

The red represents how much of this website’s total traffic came from bot scanner requests versus actual, human traffic. Credit: Human Security

Of course, hosts can leverage AI just the easily as cyberattackers. Plenty of newer tools can flag abnormal traffic patterns and even draft patches before exploits go public. But Williams warned against overreliance.

“There are a lot of cool things coming up… but security runs on proof, not promises,” he said. “The smart play is to treat AI like a junior analyst behind strict guardrails: great for speed and insights, always double-checked by deterministic rules and human eyes.”

High-Risk Plugins = Greatest Threat Vector

Not all plugins are created equal. Contact-form builders, file-upload tools, and eCommerce checkouts sit at the top of the threat pyramid, especially if they’re abandoned or rarely updated.

“Any abandoned plugins should be a red flag and avoided as much as possible,” Williams said.

In fact, a 2025 audit scanned 68,000 WordPress installations and revealed:

These are pretty intense numbers, but one could argue they only prove why managed WordPress providers are so important. All those things should be baked into every plan.

And yet, Williams said he has noticed plenty of pushback from developers who tend to prefer manual control.

“I get it — they’re doing the work of reading change logs and testing updates in staging… but it’s expensive in dollars and time,” Williams said. “Unless you are dedicated to daily checks for manual updates, or willing to hire someone to do that, it’s best to enable auto-updates.”

Collaboration is the Key

Even one of the most popular WordPress hosting providers understands that no single player can secure the ecosystem alone.

It’s something that WordPress itself emphasizes on its About page:

The WordPress open source project has evolved in progressive ways… supported by skilled, enthusiastic developers, designers, scientists, bloggers, and more… a large community of people collaborating on and contributing to this project.

Williams described security as a team sport, so tighter collaboration between hosts, plugin developers, and site owners is what will lead to better patch cycles and fewer security gaps.

“Hosts can invite plugin authors to test on real-world infrastructure and flag any permission or resource red flags,” Williams added. “Keep the feedback loops short, the mindset curious, and you get a shared responsibility model where everyone pushes the platform forward together.”

What hosts can do is act as an “early-warning radar”:

It’s that kind of standard that makes evolving WordPress to the next era possible, even if that era is powered by an invisible attacker.

“Top it off with regular backups and a one-click rollback button,” Williams said, “and most plugin exploits stay in footnotes instead of front-page news.”

About the Author

Contributing Expert

Jordan Sprogis is a creative writer and tech researcher who has been working on online content for the better part of a decade. She holds a bachelor's degree in professional writing from Western Connecticut State University and has devoted much of her career to crafting content for various web verticals, including CyberSpyder and The Echo. Since joining HostingAdvice, Jordan has combined her storytelling ability with her fascination for advancements in technology to pen over 500 articles geared toward industry pros and newcomers alike.

« BACK TO: BLOG

Meet the Experts

Our team of experts with a combined 50+ years of experience in web hosting serve insight and advice to more than 20 million users!

We Know Hosting

$

4

8

,

2

8

3

spent annually on web hosting!