Tech Insights 10 February 2026 8 min read

661 WordPress Vulnerabilities in One Week. 164 Still Have No Patch.

SolidWP's weekly report for 4 February 2026 disclosed 661 new WordPress vulnerabilities in seven days: 638 in plugins, 23 in themes, 164 completely unpatched. The same week, WordPress 6.9.1 dropped fixing 49 bugs. Core isn't the problem. Plugins are. Here's what UK businesses need to do right now.

MM
Mark McNeece Founder, 365i
WordPress security scanner dashboard showing 661 vulnerability warnings with red and amber severity indicators
At a Glance 8 min read
  • SolidWP disclosed 661 WordPress vulnerabilities in the week ending 3 February 2026: 638 in plugins, 23 in themes, 164 with no patch available.
  • WordPress core is not the weak link; version 6.9.1 fixed 49 bugs with zero security patches, while 96.5% of flaws come from plugins.
  • Patchstack reported a 68% year-on-year increase in WordPress vulnerability disclosures, driven by AI-assisted bug discovery and 60,000+ active plugins.
  • A hacked WordPress site costs UK businesses between £500 and £3,000 to clean up, plus mandatory ICO breach notification within 72 hours under UK GDPR.

SolidWP's weekly vulnerability report for 4 February 2026 disclosed 661 new WordPress vulnerabilities in a single week. That's 638 in plugins, 23 in themes, and 164 with no patch available at all. The same day, WordPress.org pushed the 6.9.1 maintenance release fixing 49 separate bugs.

If you run a WordPress site and haven't checked your plugins this month, you're almost certainly running at least one with a known security flaw. That's not alarmist. It's arithmetic.

According to SolidWP's report, the 661 figure covers disclosures tracked between 28 January and 3 February 2026. The previous week's report logged a similar volume, confirming this isn't a one-off spike. It's the new baseline.

661 Flaws in Seven Days. Here's the Breakdown.

Category Count Notes
Plugin vulnerabilities 638 96.5% of all disclosures
Theme vulnerabilities 23 3.5% of disclosures
Unpatched (no fix available) 164 24.8% of all vulnerabilities
WordPress 6.9.1 bug fixes 49 Released 3 February 2026

The 164 unpatched figure is the one that should keep site owners up at night. These aren't theoretical risks waiting for a proof-of-concept. They're publicly disclosed flaws with no fix available, no timeline for a fix, and in many cases, no sign that the plugin developer is even aware of the issue.

WordPress admin plugins page showing multiple plugin update notifications with orange and red Update Available badges and a critical security vulnerability warning
A typical WordPress plugins dashboard with pending updates. Most site owners see this screen and close the tab. Attackers see it as an open door.

Why the Raw Volume Matters More Than Severity Scores

Security coverage tends to focus on the headline-grabbing critical flaws: the CVSS 9.8 admin takeover bugs, the unauthenticated SQL injections. And those are dangerous. But the volume problem is different, and it's worse.

A typical small business WordPress site runs 15 to 30 plugins. If 638 plugin vulnerabilities were disclosed in one week, and the average plugin has a 1-2% chance of being in that list, a site with 25 plugins has a roughly one in four chance of running something with a known flaw right now. Scale that to the Wordfence Intelligence database, which tracks cumulative vulnerabilities across the entire ecosystem, and the odds get worse fast.

The problem isn't any single flaw. It's that the disclosure rate has outpaced the patching rate. Plugin developers are mostly small teams or solo developers. They can't keep up with the security researchers finding bugs faster than they can fix them.

"AI is being used both by attackers to create advanced malware, exploit vulnerabilities, and launch sophisticated scams. If there is any kind of vulnerability, you want to be the first to patch it, not the last."

Kathy Zant, CEO, Zantastic LLC (formerly Wordfence & iThemes)

Zant's point about AI-accelerated attacks is worth sitting with. Automated exploit tools don't care whether a vulnerability is rated Critical or Medium. They scan for any way in, and they do it at a speed no human security team can match. Google's GTIG has since confirmed that nation-state malware is now making live AI API calls during attacks, making these scanners even harder to detect.

164 Unpatched Flaws: What "No Fix Available" Actually Means

When SolidWP marks a vulnerability as "unpatched," it means one of three things: the developer hasn't responded to the disclosure, the developer has acknowledged it but hasn't released a fix, or the plugin has been abandoned entirely.

For the site owner, the distinction doesn't matter much. The flaw is public, attackers can find it, and no update is coming.

Your options when running an unpatched plugin:

  1. Deactivate and delete it. If the plugin isn't critical to your business, remove it. A plugin you're not using is a plugin that can't be exploited.
  2. Find an alternative. Search the WordPress.org repository for an actively maintained plugin that does the same job. Check the "Last updated" date: anything older than six months is a risk.
  3. Use a Web Application Firewall (WAF). A WAF like Wordfence, Patchstack, or a hosting-level firewall can block known exploit patterns even before a patch exists. This buys time, but it's not a permanent fix.
  4. Move to managed WordPress hosting. Managed hosts apply security patches within hours, run daily malware scans, and maintain WAF rules that block known exploit patterns automatically.
Worried UK business owner in a coffee shop looking at a laptop displaying a site compromised error message, with a rainy British high street visible through the window
For non-technical business owners, a compromised site often means lost revenue, damaged trust, and an emergency call to a developer they don't have on retainer.

WordPress 6.9.1: 49 Bugs Fixed, Zero Security Patches

On 3 February 2026, WordPress.org released version 6.9.1, a short-cycle maintenance release fixing 49 bugs across Core and the Block Editor. No security fixes were included.

That's not a criticism. Maintenance releases fix stability and compatibility issues, and 49 bug fixes in one release is healthy engineering. But it underlines a point: WordPress core is not the weak link. Plugins are.

WordPress core has had remarkably few security incidents relative to its scale. The vulnerability explosion is happening in the plugin ecosystem, where quality control varies wildly and the barrier to publishing a plugin is low.

What This Means for UK Businesses

If you're a UK business running WordPress, which covers roughly 40% of all websites, these numbers translate into three specific risks.

Data breach liability under UK GDPR. An exploited plugin that leaks customer data triggers ICO reporting obligations within 72 hours. "We didn't know our contact form plugin was vulnerable" isn't a defence. The ICO expects organisations to maintain their software.

Search visibility damage. Google's Safe Browsing programme flags compromised sites with interstitial warnings. If your WordPress site gets hacked through an unpatched plugin and starts serving malware, Google removes you from search results until you clean up. Recovery takes weeks. We covered how AI systems also penalise compromised sites in our analysis of what AI actually sees when it visits your website.

Business interruption costs. The average cost of cleaning up a hacked WordPress site ranges from £500 to £3,000 for a small business, depending on severity. Add lost sales during downtime, the cost of notifying affected customers, and the reputational hit, and a single breach from a £0 free plugin can easily cost five figures.

Data centre server rack with blue ambient lighting and a single red warning LED indicator standing out among healthy green and blue server lights
Managed hosting environments monitor for threats at the server level, catching exploit attempts before they reach your WordPress installation.

Five Things to Do This Week

You don't need to read 661 vulnerability reports. But you do need a process that handles them for you. Here's where to start.

1. Run a plugin audit today. Log into your WordPress admin, go to Plugins, and check every plugin's "Last updated" date. Anything not updated in the past six months is a candidate for removal. Cross-reference your plugin list against Patchstack's free vulnerability database.

2. Enable automatic updates for all plugins. WordPress has supported auto-updates since version 5.5. Go to Plugins, and click "Enable auto-updates" on each one. Yes, auto-updates can occasionally break things. But the alternative, running known-vulnerable code for weeks, is worse.

3. Install a security plugin with a WAF. Wordfence (free tier available) or Patchstack can block known exploit patterns even for unpatched vulnerabilities. A WAF won't fix the flaw, but it blocks the most common attack routes while you wait for a patch.

4. Delete plugins you're not using. Deactivated plugins can still be exploited in some cases. If you've got plugins sitting in your installation that you tried once and forgot about, delete them. Fewer plugins means fewer attack surfaces.

5. Consider managed WordPress hosting. Managed hosts like 365i WordPress Hosting handle security updates automatically. Patches are applied within hours of release, not weeks. Daily malware scans catch issues before they spread. And a hosting-level WAF blocks exploit attempts before they reach your plugins. The December 2025 report disclosed 170 vulnerabilities in a single week. That number has now nearly quadrupled. Manual maintenance can't keep up.

The Bigger Picture: Why Vulnerability Volume Is Accelerating

The 661 figure isn't an anomaly. It's part of a trend that's been building for two years.

Patchstack's 2025 State of WordPress Security report found that WordPress vulnerability disclosures increased 68% year-over-year. Three factors are driving the acceleration.

First, security researchers are using AI tools to find bugs faster. Automated code analysis that would have taken weeks now takes hours. That's good for disclosure, but it overwhelms the patch pipeline.

Second, the WordPress plugin ecosystem has grown to over 60,000 active plugins. More code means more bugs. And many plugins are maintained by developers who treat them as side projects, not products.

Third, attackers are industrialising exploitation. Vulnerability scanners sweep the entire internet within hours of a public disclosure. The window between "flaw published" and "flaw exploited" has shrunk from weeks to days, sometimes hours.

"[The EU Cyber Resilience Act is] a potential turning point for open-source security, similar to the impact GDPR had on data protection practices."

Oliver Sild, Founder & CEO, Patchstack

Sild's comparison to GDPR is apt. The EU Cyber Resilience Act, which enters enforcement in 2027, will require software providers, including open-source plugin developers, to provide ongoing security support for their products. For the WordPress ecosystem, that could mean the end of abandoned plugins sitting in the repository with known security holes. But 2027 is a long way off, and UK businesses need protection now.

Frequently Asked Questions

How many WordPress vulnerabilities were disclosed in February 2026?

SolidWP's report for the week ending 3 February 2026 disclosed 661 new vulnerabilities: 638 in plugins and 23 in themes. Of those, 164 had no patch available at the time of disclosure. This is one of the highest single-week counts on record for the WordPress ecosystem.

Is WordPress core itself vulnerable?

WordPress core is not the problem. The 6.9.1 maintenance release on 3 February fixed 49 bugs but contained no security patches. The vast majority of WordPress vulnerabilities, over 96% in this report, come from third-party plugins and themes, not WordPress itself.

How do I check if my plugins are vulnerable?

Install the free Wordfence or Patchstack plugin, which scans your installed plugins against their vulnerability databases. You can also manually check at patchstack.com/database or wordfence.com/threat-intel/vulnerabilities by searching for your plugin names.

What does "unpatched" mean for a WordPress vulnerability?

Unpatched means no fix exists. The developer either hasn't responded to the disclosure, is still working on a fix, or has abandoned the plugin. Your best options are to deactivate and delete the plugin, switch to an alternative, or use a WAF to block known exploit patterns while you wait.

Are automatic plugin updates safe to enable?

Auto-updates occasionally cause compatibility issues, but the risk of running unpatched software is far greater. Enable auto-updates for all plugins and themes. If a rare update breaks something, your hosting provider can roll back. If an unpatched flaw gets exploited, the damage is much harder to undo.

Does managed WordPress hosting protect against these vulnerabilities?

Yes. Managed hosts apply security patches within hours, run daily malware scans, and maintain server-level firewalls (WAFs) that block known exploit patterns. The 164 unpatched vulnerabilities in this report are far less dangerous on managed hosting because the WAF blocks the exploit attempts even before a patch exists.

How much risk does this pose to a small UK business?

A hacked WordPress site typically costs a UK small business between £500 and £3,000 to clean up, plus lost revenue during downtime. Under UK GDPR, a data breach from an exploited plugin triggers mandatory ICO notification within 72 hours. The reputational cost is harder to quantify but often worse than the financial hit.

Why are there so many WordPress vulnerabilities now?

Three factors: security researchers are using AI tools to find bugs faster, the plugin ecosystem has grown to over 60,000 active plugins, and attackers have industrialised exploitation. Vulnerability disclosures increased 68% year-over-year in 2025 according to Patchstack, and that pace is continuing into 2026.

Don't Have Time to Patch 661 Vulnerabilities?

Managed WordPress hosting from 365i applies security updates within hours, blocks exploit patterns with a server-level WAF, and runs daily malware scans. You focus on your business. We handle the security.

WordPress Hosting From £29/mo

Or add maintenance to your existing hosting

Sources

Tags:
WordPress Security WordPress Vulnerabilities Plugin Vulnerabilities SolidWP Wordfence Patchstack Managed Hosting WAF UK Business GDPR WordPress Maintenance Website Security
Continue Reading

More Articles

Sean Hamilton: The Full Lockerfella Interview
Web Design 30 Apr 2026

Sean Hamilton: The Full Lockerfella Interview

The unedited post-launch conversation between Mark McNeece and Sean Hamilton about the Lockerfella build. Trust, area pages, AI Discovery Files, prices, and the locksmith version of mission control. The primary source behind the case study.

18 min read Read
He Asked for a Proper Locksmith Website. He Got Mission Control.
Web Design 30 Apr 2026

He Asked for a Proper Locksmith Website. He Got Mission Control.

Sean Hamilton wanted a website that "looked proper". He didn't ask for schema, AI Discovery Files, or 18 unique area pages. He didn't need to. Inside the Lockerfella build, the case study that turned a one-line brief into a 100/100/100/100 PageSpeed locksmith site cited in AI search within ten days of launch.

11 min read Read
Google's March 2026 Core Update Hits AI Content Hard. Here's Where the Line Is.
SEO 28 Mar 2026

Google's March 2026 Core Update Hits AI Content Hard. Here's Where the Line Is.

Google rolled out its first core update of 2026 yesterday, the third algorithm change in four days. More than half of monitored sites are seeing ranking shifts. The update targets scaled AI content but rewards AI-assisted pages built on original expertise. Here's the five-minute audit that tells you which side of the line your content is on.

9 min read Read