2025 saw an explosion in CVEs: Here's what the data shows

Context

A record 48,185 CVEs were published in 2025, including over 8,000 cross-site scripting (XSS) bugs. This analysis piece by The Stack explores the trends, including the “WordPress Effect” where plugin security firms now drive CVE volume, and discusses the implications for developers and security teams.

I provided commentary on how developers can address these persistent security challenges, particularly around tooling and AI-assisted development.

Key Quotes

On integrating security into the development lifecycle:

Chris Reddington, a senior program manager in DevRel strategy at GitHub, cites its native tools like code scanning, dependency review, and Dependabot as there to help “teams detect and mitigate issues early, directly as part of their lifecycle.”

On AI and secure coding practices:

“As AI becomes increasingly integrated into development (and projected to assist in writing the majority of code within the next five years), developers need to pair automation with thoughtful oversight, using AI assertively whilst combining that with the foundations of quality checks, patterns and practices that we already use today…”