2024 CMS security insights: lessons from a year of plugin compromises
WordPress, Drupal, and Joomla took the brunt of 2024's web compromises - and the pattern was the same as 2023. What Wordfence, Sucuri, and Patchstack data tells us, plus the controls that materially reduce breach probability.
Why CMS sites stay in the crosshairs
WordPress alone powers 43.5% of all websites on the public internet (W3Techs, 2024). Add Joomla, Drupal, and Shopify and you're past 60%. That market share is precisely what makes CMS-driven sites the highest-volume web attack surface every threat-intelligence vendor measures.
The reason the pattern doesn't change year-over-year is structural: third-party plugins, drive-by updates, and admin surfaces frequently exposed to the public internet. Patchstack tracked 7,966 new WordPress vulnerabilities in 2024 alone - 96% of them in plugins or themes, not in core.
What the year's data actually shows
Patchstack's 2024 annual report and Wordfence's vulnerability database converge on the same picture: plugin sprawl is the dominant attack surface.
| Finding category | Share of WordPress CVEs (2024) | Typical severity |
|---|---|---|
| Plugin XSS (cross-site scripting) | 47% | HIGH |
| Broken access control / authz | 18% | HIGH |
| SQL injection | 9% | CRITICAL |
| Arbitrary file upload | 6% | CRITICAL |
| Unauth RCE | 3% | CRITICAL |
| Other | 17% | MIXED |
Plugin sprawl is the dominant root cause. Patchstack's data shows the average WordPress site runs 23 plugins; the median plugin had its last security update 11 months ago. The plugin you don't remember installing is the one that breaches you.
Two 2024 incidents to study
CVE-2024-25600: Bricks Builder unauthenticated RCE
In February 2024, Patchstack and Wordfence disclosed CVE-2024-25600 in the Bricks Builder theme/framework - an unauthenticated remote code execution affecting an estimated 25,000+ active installations. Within 24 hours of public disclosure, Wordfence reported blocking exploit attempts against the CVE on customer sites.
The root cause was the same as so many WordPress-plugin RCEs: a function that evaluated user-controlled input as PHP via an eval() chain, gated only by a nonce check that wasn't enforced on the public-facing endpoint.
CVE-2024-10924: Really Simple Security auth bypass
In November 2024, Wordfence disclosed CVE-2024-10924 in the Really Simple Security plugin - an authentication bypass affecting 4 million+ installations, allowing unauthenticated administrator login on sites that had the plugin's two-factor authentication feature enabled.
The bypass was a single missing return statement in the 2FA validation path. The fix was trivial; the question every site owner had to answer was: did the plugin auto-update before someone exploited it?
The controls that reduce risk
Plugin curation
A small, signed-off allow-list. Quarterly review of each plugin's update cadence, maintainer health, and download trend. Patchstack publishes a per-plugin "abandoned status" indicator - use it.
Admin-plane isolation
Admin URLs (/wp-admin, /user/login, /administrator) behind corporate SSO, VPN, or IP allow-list. Never on the public internet. This single change closes most opportunistic scanner traffic.
Automated WAF + bot management
Cloudflare, Sucuri, or Wordfence Premium - even baseline rulesets block the bulk of automated scans. Sucuri's 2024 Hacked Website Report shows WAF-protected sites had ~85% lower compromise rates.
Auto-updates for minor versions
WordPress core auto-update has been opt-in since 5.6. Most plugins now offer per-plugin auto-update toggles. The Really Simple Security incident showed why this matters: sites that had auto-update on for that plugin were patched within 24 hours.
Control effectiveness (engagement data)
Custom CMS vs hardened off-the-shelf
We're often asked whether teams should switch to a custom-built CMS. In our 2024 data the answer was no - the operational risk of running an under-maintained custom CMS exceeded the plugin-attack-surface risk of a well-curated WordPress or Drupal install.
| Dimension | Custom CMS | Hardened WordPress |
|---|---|---|
| Attack surface | Smaller | Larger |
| Patch cadence | Manual, slow | Automated, fast |
| Plugin ecosystem | Limited | Rich |
| Cost of ownership | High | Low |
| Auditability | Bespoke | Standardised (OWASP) |
You don't need a custom-built CMS. You need boring hygiene around the one you have. The teams that fared best in 2024 - across every dataset we pulled - were the ones that treated their CMS like infrastructure, not like a website.
- Staatse 2024 engagement retrospective
Key takeaways
- 96% of WordPress CVEs in 2024 were in plugins or themes - not in core. The hygiene problem is yours, not the platform's.
- Bricks Builder (CVE-2024-25600) and Really Simple Security (CVE-2024-10924) were the two highest-impact disclosures of the year - both affected millions of sites.
- Admin-plane isolation + plugin curation + WAF is the same three-control answer it was in 2023. The data just keeps confirming it.
- Auto-update for plugins is not optional anymore - the Really Simple Security disclosure shipped a patch faster than most ops teams could schedule maintenance.
Bottom line
You don't need a custom-built CMS. You need boring hygiene around the one you have. If you'd like a quick assessment of your CMS exposure, our web application security service is built for exactly this.
References & further reading
- PatchstackState of WordPress Security 2024 - vulnerability statistics
- WordfenceWordfence Intelligence: WordPress vulnerabilities database
- SucuriHacked Website Report - annual web compromise statistics
- W3TechsUsage statistics of content management systems
- NVDCVE-2024-25600 - Bricks Builder for WordPress unauthenticated RCE
- NVDCVE-2024-10924 - Really Simple Security plugin authentication bypass
- OWASPOWASP Top 10 - 2021 (current edition)