Now that 2024 has come to its conclusion, I’ve decided to kick off a post outlining some observations, trends, and insights for the CVEs published. As always more information is available in our Discord along side industry leading cybersecurity experts; including the data and SQL queries used, check it out here! In short, 2024 was a weird year for CVEs and this post will hopefully share some of the insights into what makes it weird.
TL;DR — the trends in 2024 tell a much deeper story. The average CVSS 3.1 scores dropped from High (7.09) to Medium (6.9), fewer overall CVEs were reserved; including fewer Critical and High severity, some products saw historic volume increases for published CVEs , and more!
Insights
This section will cover some overall trends and analysis of bits of information I found interesting and worth sharing for discussion
Disclaimer:
All of the trends and insights are curtsey of the NVD Data Feeds <here> . I know, I know, there is a backlog of published CVEs so the numbers will possibly adjust over time; I also know there are sources such as VulDB (not to be confused with VulnDB), VulnCheck, and many many more that have more enriched data. Where possible, I will highlight alternative sources for comparison.
Insight #1 – The Median and Average CVSS v3.1 Severity Dropped from High to Medium.
This is due to a drop of 2.6% from 7.09 (2023) to 6.9 (2024) across the NVD dataset, a trend of decreasing scores with an average of 7.18 (2022) , 7.07 in (2021), and 7.15 (2020). The median also dropped 9.7%, from 7.2 (2023) to 6.5 (2024).
To reiterate my disclaimer, I know the number of CVEs in the backlog for publishing in 2024 is 3.62x larger with 19,478 CVEs (58%) requiring review vs 5,374 (18.4%) in 2023. So we’ll use an alternative feed of data in CVEDetails.com which has a much more complete dataset of CVE severities and scores completed for 2024.
When comparing the averages <here>, 2024 saw an average score of 7.1, a drop from 7.7 (2023), 7.8 (2022), 7.7 (2021), and 7.8 (2020) and which tells the story in a more drastic way. Last year was the largest drop ever and the 2nd largest change ever (2016 +1.1 score) when the concept of a CNA was introduced. So this is a strong signal that the NVD data is not too far off and a drop back to an average / median CVSS score of Medium is possible in the future. The last time the average CVSS score was a Medium was 2015, prior to the big shift in the CNA reporting structure. Is this indicative of a return to 2011-2015 levels?
The below table sourced using CVEDetails.com shows the historical trend and hopefully formats well for your screen.
Year Average Change 5 Yr Avg 5 Year Chg
2024 7.1 -0.6 7.62 -0.14
2023 7.7 -0.1 7.76 -0.04
2022 7.8 0.1 7.8 -0.02
2021 7.7 -0.1 7.82 -0.04
2020 7.8 0 7.86 0.2
2019 7.8 -0.1 7.66 0.28
2018 7.9 0 7.38 0.24
2017 7.9 0 7.14 0.24
2016 7.9 1.1 6.9 0.18
2015 6.8 0.4 6.72 -0.06
2014 6.4 -0.3 6.78 -0.14
2013 6.7 0 6.92 -0.1
2012 6.7 -0.3 7.02 -0.1
2011 7 -0.1 7.12 0.06
2010 7.1 0 7.06 0.1
2009 7.1 -0.1 6.96 0.1
2008 7.2 0 6.86 0.08
2007 7.2 0.5 6.78 N/A
Insight #2 – The rate of Critical and High Severity CVEs is Dropping
The number of Critical and High CVEs so far for 2024 is also down. When comparing the number of Critical and High CVEs as a percentage of total number of reviewed CVEs in NVD for 2024 (13,920 CVEs) and 2023 (23,782) we can see a 2% drop in Critical CVEs and a 3.6% drop in High CVEs. This trend is also not specific to NVD; CVEDetails saw a similar trend with 17.7% (5,161 / 29,066) Critical and 40% (11,694 / 29,066) High compared to 2024, with 12.7% (5,141 / 40,291) Critical and 34.9% (14,077 / 40,291) High.
NVD
| Label | 2024 | 2023 | YoY |
| Critical | 13.7% (1,920) | 15.7% (3,736) | -2% (-1,816) |
| High | 33.5% (4,676) | 37.1% (8,843) | -3.6% (-4,167) |
| Medium | 50% (7,057) | 45.6% (10,852) | +4.4% (-3,795) |
| Low | 1.9% (267) | 1.4% (351) | +0.5% (-84) |
CVEDetails
| Label | 2024 | 2023 | YoY |
| Critical | 12.7% (5,141 ) | 17.7% (5,161) | -5% (-20) |
| High | 34.9% (14,077) | 40% (11,694) | -5.1% (-+2,383) |
Similarly, the 2022 rate of Critical CVEs was 19.9% (5,008 / 25,084) and 40.2% (10,092 / 25,084) and 2021 17.8% Critical and 41.1% High. Much like the previous insight, there are signals that there is a shift in the vulnerabilities being discovered and published in 2024. Is there a security equivalent to Wallstreet’s term of being “bearish” for the number and severity of vulnerabilities disclosed going forward? Or is this just a blip in the grand scheme of things? This leads into the next point which I believe is the most doomsayer of signals so far.
Insight #3 – The Total Reserved CVEs Dropped ~7% from 2023 to 2024.
My last post outlined an interesting trend where rising or elevated unemployment rates often led or were followed by the number of CVEs “Reserved” dropping. A quick summary is that CVEs are Reserved by CNAs (CVE Naming Authority) prior to “publishing” the final CVE. Reserved CVEs are typically the limbo area where a vulnerability will sit prior to getting fully assessed, patched, or understood. One all of that is complete, it typically moves into a “Published” or “Rejected” state. In 2024, the number of “Reserved” CVEs dropped by about 7% compared to 2023. A trend seen after COVID in 2021, 2010 during high unemployment, and 2008 during the great financial crisis. Nonetheless, CVEs Reserved acts as a quasi denominator for the total universe of CVEs; with a large drop like this it begs to be analyzed.
Because of this I ask the community: Are all of the above signals flashing “red” or lower due to the tech layoffs of 2023 and 2024? Meaning, less code and less testers? Is it a sign that software is becoming more secure? Or have security researchers pivoted to Generative AI?
Is there a home for CVEs related to LLM/Gen AI Models? Should there be? CVE.org believes there should be clearer swimlanes “The CVE Board recognizes clear swim lanes need to be established for AI-related CVE-assignable vulnerabilities as this impacts product security team operations. ” <source>. Perhaps once there is a clearer archetype of CVEs for LLMs and such then there will be another uptick. Until then, we wait!
Insight #4 – WordPress CVEs
While scrolling through my LinkedIn I saw an interesting post from the always wonderful Patrick Garrity at VulnCheck covering some of the 2024 trends for CVEs. If you haven’t already connected with Patrick, I highly recommend it, he’s an awesome source of information in the Vulnerability Management community at large.
As always, Patrick does a great job finding metrics that get me thinking about the world of CVEs more deeply. In this case, one post in particular had me going deep in multiple dimensions.
At first glance, this post tells a story of WordPress, WordPress, WordPress. Which is definitely the primary take away. This can result in two different perspectives, 1) the prevailing “meme” sentiment around the security community is that WordPress and related plugins remain insecure due to the number of CVEs published or the contrarian view that 2) WordPress is maturing rapidly and has stronger mechanisms than ever to identify vulnerabilities in their related products. Given the drama happening in WordPress world, this will likely be viewed as a point in the opinion #1 column.
For this section we will compare the 3 major CNA (CVE Naming Authorities) for WordPress and related vulnerabilities year over year to understand the change better due to the large uptick.
First off, we have the WPScan.com CNA, please note there are still 425 CVEs for 2024 under review by NVD at the time of writing this article so these numbers are subject to change (there are also large volume of CVEs under review for the other 2 CNAs). However, we can still estimate where things should land based on the previous rate of Critical, High, and Medium CVEs. As an example, Criticals appears 4.4% of the time out of the 810; given the 2024 total, that would account for roughly ~27 total critical issues. Which is a decrease from last year of 25%. Likewise for High CVEs, they were found in 20% of the CVEs published in 2023. For 2024, that would result in 120 High CVEs. A positive trend for both categories.
The table below outlines the different severities and their respective change from year to year.
| contact@wpscan.com | 2023 WPScan.com | 2024 WPScan.com | Change YoY (+/-) |
| Total | 802 | 610 | -192 |
| Critical | 36 | 7 | -29 |
| High | 161 | 20 | -141 |
| Medium | 572 | 158 | 414 |
For the next table, we’ll compare the next largest contributor which was wordfence.com. At the time of writing, there were still 1,866 CVEs Under Review associated with wordfence.com in NVD at the time of writing. Despite going up in all severities, the rate of Critical and High issues has dropped drastically.
If we remove the under review to see the rate of Critical and High issues relative to the already reviewed total, that leaves us with 1,456 total CVEs that were reviewed. That’s a 2.4% rate of Criticals in 2024 versus a 3.6% rate in 2023. The stories continues for Highs, where a rate of 8.7% was seen in 2024, compared to a rate of 10.1% in 2023.
| cve-request@wordfence.com | 2023 wordfence.com | 2024 wordfence.com | Change YoY (+/-) |
| Total | 948 | 3,322 | +2,374 |
| Critical | 35 | 36 | +1 |
| High | 96 | 128 | +32 |
| Medium | 614 | 1,286 | +672 |
Given the large volume of Under Review CVEs associated with this CNA, it is possible that we will see a shift in these numbers that may change the story here a bit. We reached out to wordfence.com for comment but have not heard back. However, the sheer number of Critical CVEs submitted so far tells a story of a concerted effort to improve the security posture of WordPress and related plugins.
Lastly, we’ll cover patchstack.com and the CVEs associated with their CNA. Similar to wordfence.com; there were still 2,998 CVEs “Under Review” so for the purposes of this we’ll remove that from the total and use 920 as our denominator for 2024. In 2024, High Severity CVEs saw a rate of 27.3% vs 27.8% in 2023. This is a similar enough number to indicate that there isn’t much of a shift other than purely volumetrically. Whereas in 2023 the rate of Critical CVEs sat at 3.2% which jumped to 13.4% in 2024. This is possibly because CNAs often review the most severe CVE submissions prior to reviewing the lower severity ones.
| audit@patchstack.com | 2023 patchstack.com | 2024 patchstack.com | Change YoY (+/-) |
| Total | 2,644 | 3,918 | +1.274 |
| Critical | 87 | 124 | +37 |
| High | 737 | 252 | -485 |
| Medium | 1,211 | 543 | -668 |
Similar to Wordfence.com it is clear that PatchStack is also on a mission to identify and handle Critical CVEs associated with WordPress and related plugins. I suspect, the increase is due to a common flaw or design problem among WordPress Plugins that cast a wide net across the plugin ecosystem.
So — what does this all mean? When looking at the numbers, there are no strong signals that WordPress and related plugins are performing worse in 2024 compared to 2023. Instead, it looks like intentional actions were taken given the large increase in Critical CVEs. However, there are a lot of Under Review CVEs that still need to be accounted for. Should the rates described above hold steady, then I believe it is safe to say that this suite of products is simply moving along the product maturity lifecycle in regards to Cybersecurity posture and kudos should be given to the WordPress community.
Closing Thoughts
I can drone on and on about all of the trends and thoughts I have related to the CVEs in 2024 (or any year for that matter). Either way, this year stood out to me for a number of different reasons as a unique year. Granted, there were structural changes to how / when a CNA should report on a vulnerability (ironically, I thought this would increase things drastically). I end this post with the following question: how do you feel about CVEs and the Vulnerability Management industry at large?