An analysis found these web frameworks to be the most-targeted by cybercriminals in 2019. input-validation bugs edged out cross-site scripting (XSS) as most-weaponized weakness type. WordPress and Apache Struts alone accounted for 57 percent of exploited framework bugs during the year. XSS was the most common vulnerability over the 10-year study period, but it dropped to fifth when analyzed for just the last five years. PHP for WordPress and Java for Struts were also the most weaponized languages in the study.
Source: https://threatpost.com/wordpress-apache-struts-most-bug-exploits/153927/