CVE Volume Surges Past 48,000 in 2025 as WordPress Plugin Ecosystem Drives Growth

In 2025, the number of publicly disclosed software vulnerabilities reached a record high of 48,185 CVEs, marking a 20.6% increase from the previous year, according to security researcher Jerry Gamblin's analysis based on the National Vulnerability Database and CVE List V5. This surge reflects a shift in the origin of vulnerabilities, with an increasing number stemming from third-party plugins, particularly within the WordPress ecosystem, rather than from major software vendors. The "WordPress effect," as Gamblin describes it, highlights the significant role of third-party extensions in the vulnerability landscape, with entities like Patchstack and Wordfence leading in CVE disclosures. Despite the volume increase, severity metrics remained stable, with most vulnerabilities rated medium, though operational challenges persist as security teams must prioritize based on exploitability. The data also shows concentrated disclosure activity, especially in December and on specific days like February 26, when nearly 800 CVEs were reported. As prediction models suggest continued growth in CVE volume, reaching possibly 55,000 in 2026, the industry faces challenges in scaling traditional vulnerability management approaches and may need to adopt predictive analytics to manage the increasing disclosure velocity effectively.