Bookmarked https://wptavern.com/wordfence-and-wpscan-publish-mid-year-wordpress-security-report.
And over two thirds of them stem from not or wrongly escaping user inputs, and would’ve been avoided by running a static analyzer, like PHPCS with WordPress’s ruleset.
> The vast majority of the vulnerabilities you hear about in the WordPress ecosystem come from plugins[.]