Analysis Forecasts More Vulnerabilities In 2025 via @sejournal, @martinibuster

A new analysis predicts that the number of reported vulnerabilities will reach record highs in 2025, continuing the trend of rising cybersecurity risks and increased vulnerability disclosures.

Analysis By FIRST

The analysis was published by the Forum of Incident Response and Security Teams (FIRST), a global organization that helps coordinate cybersecurity responses. It forecasts almost 50,000 vulnerabilities in 2025, an increase of 11% over 2024 and a 470% increase from 2023. The report suggest that organizations need to shift from reactive security measures to a more strategic approach that prioritizes vulnerabilities based on risk, planning patching efforts efficiently, and preparing for surges in disclosures rather than struggling to keep up after the fact.

Why Are Vulnerabilities Increasing?

There are three trends driving the increase in vulnerabilities.

1. AI-driven discovery and open-source expansion are accelerating CVE disclosures.

AI is vulnerability discovery, including machine learning and automated tools are making it easier to detect vulnerabilities in software which in turn leads to more CVE (Common Vulnerabilities and Exposures) reports. AI allows security researchers to scan larger amounts of code to quickly identify flaws that would have gone unnoticed using traditional methods.

The press release highlights the role of AI:

“More software, more vulnerabilities: The rapid adoption of open-source software and AI-driven vulnerability discovery has made it easier to identify and report flaws.”

2. Cyber Warfare And State-Sponsored Attacks

State-sponsored attacks are increasing which in turn leads to more of these kinds of vulnerabilities being discovered.

The press release explains:

“State-sponsored cyber activity: Governments and nation-state actors are increasingly engaging in cyber operations, leading to more security weaknesses being exposed.”

3. Shifts In CVE Ecosystem

Patchstack, a WordPress security company, identifies and patches vulnerabilities. Their work is adding to the number of vulnerabilities discovered every year. Patchstack offers vulnerability detection and virtual patches. Patchstack’s participation in this ecosystem is helping expose more vulnerabilities, particularly those affecting WordPress.

The press release provided to Search Engine Journal states:

“New contributors to the CVE ecosystem, including Linux and Patchstack, are influencing disclosure patterns and increasing the number of reported vulnerabilities. Patchstack, which focuses on WordPress security, is playing a role in surfacing vulnerabilities that might have previously gone unnoticed. As the CVE ecosystem expands, organizations must adapt their risk assessment strategies to account for this evolving landscape.”

Eireann Leverett, FIRST liaison and lead member of FIRST’s Vulnerability Forecasting Team, highlighted the accelerating growth of reported vulnerabilities and the need for proactive risk management, stating:

“For a small to medium-sized ecommerce site, patching vulnerabilities typically means hiring external partners under an SLA to manage patches and minimize downtime. These companies usually don’t analyze each CVE individually, but they should anticipate increased demands on their third-party IT suppliers for both planned and unplanned maintenance. While they might not conduct detailed risk assessments internally, they can inquire about the risk management processes their IT teams or external partners have in place. In cases where third parties, such as SOCs or MSSPs, are involved, reviewing SLAs in contracts becomes especially important.

For enterprise companies, the situation is similar, though many have in-house teams that perform more rigorous, quantitative risk assessments across a broad (and sometimes incomplete) asset register. These teams need to be equipped to carry out emergency assessments and triage individual vulnerabilities, often differentiating between mission-critical and non-critical systems. Tools like the SSVC (https://www.cisa.gov/ssvc-calculator) and EPSS (https://www.first.org/epss/) can be used to inform patch prioritization by factoring in bandwidth, file storage, and the human element in maintenance and downtime risks.

Our forecasts are designed to help organizations strategically plan resources a year or more in advance, while SSVC and EPSS provide a tactical view of what’s critical today. In this sense, vulnerability forecasting is like an almanac that helps you plan your garden months ahead, whereas a weather report (via EPSS and SSVC) guides your daily outfit choices. Ultimately, it comes down to how far ahead you want to plan your vulnerability management strategy.

We’ve found that Boards of Directors, in particular, appreciate understanding that the tide of vulnerabilities is rising. A clearly defined risk tolerance is essential to prevent costs from becoming unmanageable, and these forecasts help illustrate the workload and cost implications of setting various risk thresholds for the business.”

Looking Ahead to 2026 and Beyond

The FIRST forecast predicts that over 51,000 vulnerabilities will be disclosed in 2026, signaling that cybersecurity risks will continue to increase. This underscores the growing need for proactive risk management rather than relying on reactive security measures.

For users of software like WordPress, there are multiple ways to mitigate cybersecurity threats. Patchstack, Wordfence, and Sucuri each offer different approaches to strengthening security through proactive defense strategies.

The main takeaways are:

• Vulnerabilities are increasing – FIRST predicts up to 50,000 CVEs in 2025, an 11% rise from 2024 and 470% increase from 2023.
• AI and open-source adoption are driving more vulnerability disclosures.
• State-sponsored cyber activity is exposing more security weaknesses.
• Shifting from reactive to proactive security is essential for managing risks.

Read the 2025 Vulnerability Forecast:

Vulnerability Forecast for 2025

Featured Image by Shutterstock/Gorodenkoff

Mullenweg Rebuffs Plea To Restore Automattic’s WordPress Core Contributions via @sejournal, @martinibuster

AA WordPress developer pleaded with Matt Mullenweg at WordCamp Asia 2025, asking him to restore Automattic’s contributions to the WordPress core. Mullenweg apologized and said it’s not up to him; it’s up to WP Engine to drop their lawsuit, and he encouraged the community to put pressure on WP Engine.

Automattic’s Scaled-Back WordPress Contributions

Automattic announced in January 2025 that they were scaling back contributions to the WordPress core to those related to security and critical updates. Contributions that would otherwise had gone to core would be diverted to for-profit initiatives related to Automattic and WordPress.com.

Automattic attributed its January 2025 decision to WP Engine’s lawsuits:

“We’ve made the decision to reallocate resources due to the lawsuits from WP Engine. This legal action diverts significant time and energy that could otherwise be directed toward supporting WordPress’s growth and health. We remain hopeful that WP Engine will reconsider this legal attack, allowing us to refocus our efforts on contributions that benefit the broader WordPress ecosystem.”

WP Engine’s lawsuits, however, were a response to Matt Mullenweg’s WordCamp USA 2024 statements and also activities against WP Engine (like the WP Engine Tracker website) . A federal judge has since sided with WP Engine and granted its request for a preliminary injunction against Automattic and Mullenweg.

WordCamp Attendee Urges Mullenweg To Reinstate Core Contributions

A WordCamp Asia 2024 attendee stepped up during the Q&A portion of the conference and shared his concerns, as a business owner and a plugin developer, for the stagnation of WordPress core development.

He said:

“Hi Matt. So this is not about a question, but I am a bit concerned about like if I see that the last five years or even ten years Automattic is the biggest core contributor in the code base and everything. So it’s not actually biggest, maybe 60%, 70% of the commit… as a company, Automattic do that.

So you recently published in a blog post that you are pulling out all the contribution and everything. So as a developer, as a business owner, …my whole business depends on WordPress. We build WordPress plugins, I think if there is no Automattic in the core contribution, the whole development will be super slow.

I want to request you to reconsider that, and at least in the core development maybe you can make some changes, give more resources in the core. Because it’s complicated, …someone needs to work and I think Automattic has lots of resources, experienced people in there, so I want to request you to reconsider your position and give more developers to the core.”

Matt Mullenweg States Condition For Restoring Core Contributions

Mullenweg responded that Automattic’s spending millions of dollars to defend itself against WP Engine. He insisted that the decision to restore Automattic’s core contributions hinges on WP Engine dropping their lawsuits and encouraged the person to ask WP Engine.

Mullenweg answered:

“Yeah, thank you. Well, it’s definitely not a situation I want to be in. As we said, we’re pausing things. But very, very excited to return to having all those hundred-ish folks back doing some of the work we were doing before.

But right now we’re facing not just a maker and taker program problem… but maker-attacker. So well Automattic’s having to spend millions of dollars, per month sometimes, to defend against these attacks from WP Engine and with the court injunction, it’s just hard to be both be motivated and to just spare the resources to contribute so much.

Now, they could end it tomorrow. And I would love to welcome WP Engine back into the fold, back at WordCamp and everything. But we can’t end it, we can only defend it, you know, to all the legal attacks and they are increasing actually. And they’re coming after me personally too. As soon as they stop that, we’ll get back to it.

So please, I can’t stop it. Ask them.”

Mullenweg Asks Audience To Pressure WP Engine To Drop Lawsuit

The person asking the question said he understood Mullenweg’s position but insisted that, as an end user, he wants the software to continue to thrive. For that reason, he pleaded for Automattic to find a way to restore core contributions.

Mullenweg answered the developers second plea and asked the audience to pressure WP Engine to drop the lawsuit:

“I can’t until the lawsuit is over. So if there’s anything y’all can do to put pressure for the lawsuit to end, that would be the fastest thing to get our contributions back.”

He ended his response with a smile, saying:

“So… sorry about that.”

Concern Over Cuts To Core Contribution

The WordPress developer expressed deep concern and anxiety about the pace of WordPress core development. He emphasized that Automattic has historically provided a significant portion of core contributions and feared that without its support, WordPress development would slow significantly, impacting his business and those of others who rely on the platform.

Matt Mullenweg’s response did not directly address the WordPress developer’s plea to reconsider Automattic’s core contribution cuts. His answer framed the decision to restore core contributions as out of his control because it is dependent on WP Engine dropping its lawsuit. He stated that the lawsuit costs Automattic millions of dollars.

Mullenweg’s main points in his response to restoring Automattic’s core contributions were:

• Automattic’s reduced contributions result from the financial and legal burden of defending against WP Engine’s lawsuit.
• WP Engine’s legal actions make it difficult for Automattic to contribute at previous levels.
• He urged the audience to pressure WP Engine to drop the lawsuit.

Watch The Question and Answer segment at the 6:21:32 minute mark:

WordCamp Asia: No Plans For WordPress In 5 Years via @sejournal, @martinibuster

An awkward Q&A at WordCamp Asia 2025 saw Matt Mullenweg struggle to answer where WordPress will be in five years. Apparently caught off guard, he turned to the Lead Architect of Gutenberg for ideas, but he couldn’t answer either.

Project Gutenberg

Gutenberg is a reimagining of how WordPress users can build websites without knowing any code, with a visual interface of blocks for different parts of a web page, which is supposed to make it easy. Conceived as a four phase project, it’s been in development since 2017 and is currently in phase three.

The four phases are:

• Phase 1: Easier Editing
• Phase 2: Customization
• Phase 3: Collaborative Editing
• Phase 4: Multilingual Support

There’s a perception that Project Gutenberg has not been enthusiastically received by the WordPress developer community or by regular users, even though there are currently 85.9 million installations of the Gutenberg WordPress editor.

However, one developer at WordCamp Asia told Matt Mullenweg at the end of conference Q&A session that she was experiencing hesitations from people she speaks with about using WordPress and expressed frustration about how difficult it was to use it.

She said:

“Some of those hesitations were it’s easy to get overwhelmed. You know, when you look up how to learn WordPress, and I had to be really motivated… for myself to actually study it and kind of learn the basics of blocks… So do you have any advice on how I could convince my friends to start a WordPress site or how to address these challenges myself? You know like, getting overwhelmed and feeling like there’s just so much. I’m not a coder and things like that… any advice you can offer small business owners?”

The whole purpose of the Gutenberg block editor was to make it easier for non-coders to use WordPress. So a WordPress user asking for ideas on how to convince people to use WordPress presented an unflattering view of the success of the WordPress Gutenberg Project.

Where Will WordPress Be In Five Years?

Another awkward moment was when someone else asked Matt Mullenweg where he saw WordPress being in five years. The question seemingly caught him off guard as he was unable to articulate what the plan is for the world’s most popular content management system.

Mullenweg had been talking about the importance of AI and of some integrations being tested in the commercial version at WordPress.com. So the person asking the question asked if he had any other ideas beyond AI.

The person asked:

“If you have other ideas beyond AI or even how we consume WordPress five years from now that might be different from today.”

Matt Mullenweg answered:

“Yeah, it’s hard to think about anything except AI right now. And as I said a few years ago, before ChatGPT came out, learn AI deeply. Everyone in the room should be playing with it. Try out different models. Check out Grok, check out DeepSeek, two of the coolest ones that just launched.

And for WordPress, at that point will be past all the phases of Gutenberg. I think… I don’t know…”

It was at this point that Mullenweg calls on Matías Ventura, Lead Architect of Gutenberg, to ask him if he has any ideas of where WordPress is headed in five years.

He continued:

“Matías, what do you think? What’s post-Gutenberg? We’ve been working for so long, it’s…”

Matías Ventura, Lead Architect of Gutenberg, came up to a microphone to help Mullenweg answer the question he was struggling with.

Matías answered:

“I mean, hopefully we’ll be done by then so…”

Mullenweg commented:

“Sometimes that last 10% takes, you know, 90% of the time.”

Matías quipped that it can take a hundred years then continued his answer, which essentially admitted that there were no plans without actually admitting that there were no plans for five years out.

He continued his answer:

“I don’t know, I think, well in the talk I gave I… also reflected a bit that part of the thing is just discovering as we go, like figuring out how like, right now it’s AI that’s shaping reality but who knows, in a few decades what it would be. And to me, the only conviction is that yeah, we’ll need to adapt, we’ll need to change. And that’s part of the fun of it, I think. So I’m looking forward to whatever comes.”

Mullenweg jumped in at this point with his thoughts:

“That’s a good point of the, you know, how many releases we have of WordPress right now, 60 or whatever… 70 probably…. Outside of Gutenberg, we haven’t had a roadmap that goes six months or a year, or a couple versions, because the world changes in ways you can’t predict.

But being responsive is, I think, really is how organisms survive.

You know, Darwin, said it’s not the fittest of the species that survives. It’s the one that’s most adaptable to change. I think that’s true for software as well.”

Mullenweg Challenged To Adapt To Change

His statement about being adaptable to change set up another awkward moment at the 6:55:47 minute mark where Taco Verdonschot, co-owner of Progress Planner, stood up to the microphone and asked Mullenweg if he really was committed to being adaptable.

Taco Verdonschot is formerly of Yoast SEO and currently sponsored to work on WordPress by Emilia Capital (owned by Joost de Valk and Marieke van de Rakt).

Taco asked:

“I’m Taco, co-owner of Progress Planner. I was wondering, you were talking about adaptability before and survival of the fittest. That means being open to change. What we’ve seen in the last couple of months is that people who were talking about change got banned from the project. How open are you to discussing change in the project?”

Mullenweg responded:

“Sure. I don’t want to go too far into this but I will say that talking about change will not get you banned. There’s other behaviors… but just talking about change is something that we do pretty much every day. And we’ve changed a lot over the years. We’ve changed a lot in the past year. So yeah. But I don’t want to speak to anyone personally, you know. So keep it positive.”

Biggest Challenges WordPress Will Face In Next Five Years

Watch the question and answer at the 6:19:24 mark