WordPress 2.2.3 contains a significant security risk with 27 known vulnerabilities, including 2 critical-level flaws that could compromise your website. If you're running this version, your site may be exposed to unauthorized file deletion, arbitrary file uploads, and other serious attacks. This guide explains the vulnerabilities affecting WordPress 2.2.3 and provides step-by-step instructions to protect your website.
The two most dangerous vulnerabilities include arbitrary file deletion in the Madara Core plugin and improper rating validation in the WP Hotel Booking plugin. These flaws could allow attackers to delete critical files or manipulate data without proper authorization. Additionally, 10 high-severity vulnerabilities pose risks through SQL injection, file inclusion, and object injection attacks.
WordPress 2.2.3 is an older version of the WordPress content management system, though in this context, the version number refers to vulnerable plugins running on WordPress sites rather than the core WordPress software itself. The plugins mentioned (Madara Core, WP Hotel Booking, JetTabs for Elementor, and others) all have security issues in their 2.2.3 versions that expose websites to cyber attacks. These plugins are commonly used by WordPress sites to add specialized functionality like hotel bookings, product inquiries, and tab management.
When plugins aren't updated regularly, they become outdated and susceptible to security exploits. Hackers actively scan for outdated plugins because they know about these publicly disclosed vulnerabilities. Running WordPress 2.2.3 version plugins puts your site at risk of data theft, malware injection, and complete site takeover. The 27 vulnerabilities range from critical threats that need immediate attention to medium-level issues that still require patching.
27 CVEs found. The most critical are explained below.
The Madara plugin has a serious flaw that lets anyone (even without a login) delete important files from your website. This happens because the plugin doesn't properly check file paths before deleting them.
Impact: An attacker could delete critical website files, causing your site to crash or become completely unusable. Your business could lose access to all content and functionality.
↗ View on NVDThe WP Hotel Booking plugin doesn't verify review ratings properly on the server side. Attackers can manipulate ratings to show fake negative or positive reviews without legitimate user input.
Impact: Your hotel's reputation could be damaged by fake negative reviews, or competitors could artificially inflate their ratings, misleading your customers about quality and trustworthiness.
↗ View on NVDThe Events Made Easy plugin has a flaw that allows even basic user accounts (subscribers) to hack your website's database through a search function. The plugin doesn't properly filter user input before using it in database queries.
Impact: Hackers could steal sensitive customer data, event information, or payment details stored in your database. They could also modify or delete your event data.
↗ View on NVDThe FULL Customer plugin allows basic user accounts to install plugins without proper permission checks. An attacker with even subscriber access can install malicious code onto your site.
Impact: Hackers can install malware or backdoors on your website, giving them complete control. They could steal data, inject ads, or use your site for spam and phishing.
↗ View on NVDThe JetTabs for Elementor plugin has a flaw that lets attackers with contributor-level access retrieve and execute any file stored on your server. They can access files outside the normal website directory.
Impact: Attackers can view sensitive configuration files, database backups, and private information. They could execute harmful code and compromise your entire server.
↗ View on NVDThe Product Enquiry for WooCommerce plugin incorrectly processes user data, allowing attackers with author-level accounts to inject and execute malicious code through specially crafted requests.
Impact: Attackers can take control of your website, steal customer information, inject malware, or redirect visitors to malicious sites. Your store's security and customer trust are at risk.
↗ View on NVDShowing first 10 of 21. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2022-33960 | HIGH | 8.5 | 2022-07-22 | Multiple Authenticated (subscriber or higher user role) SQL Injection (SQLi) vulnerabilities in Social Share Buttons by Supsystic plugin <= 2.2.3 at WordPress. |
| CVE-2025-13192 | HIGH | 8.2 | 2026-02-05 | The Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress is vulnerable to generic SQL Injection via the multiple… |
| CVE-2007-4894 | HIGH | 7.5 | 2007-09-14 | Multiple SQL injection vulnerabilities in Wordpress before 2.2.3 and Wordpress multi-user (MU) before 1.2.5a allow remote attackers to execute arbitrary SQL commands via the post_… |
| CVE-2008-2146 | HIGH | 7.5 | 2008-05-12 | wp-includes/vars.php in Wordpress before 2.2.3 does not properly extract the current path from the PATH_INFO ($PHP_SELF), which allows remote attackers to bypass intended access r… |
| CVE-2024-13474 | HIGH | 7.5 | 2025-02-22 | The LTL Freight Quotes – Purolator Edition plugin for WordPress is vulnerable to SQL Injection via the 'dropship_edit_id' and 'edit_id' parameters in all versions up to, and inclu… |
| CVE-2025-12399 | HIGH | 7.2 | 2025-11-08 | The Alex Reservations: Smart Restaurant Booking plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the /wp-json/srr/v1/app/upload/… |
| CVE-2021-34625 | MEDIUM | 6.4 | 2021-07-07 | A vulnerability in the saveCustomType function of the WP Upload Restriction WordPress plugin allows low-level authenticated users to inject arbitrary web scripts. This issue affec… |
| CVE-2022-27235 | MEDIUM | 6.3 | 2022-07-22 | Multiple Broken Access Control vulnerabilities in Social Share Buttons by Supsystic plugin <= 2.2.3 at WordPress. |
| CVE-2024-9207 | MEDIUM | 6.1 | 2024-10-08 | The BuddyPress Docs plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escaping on the URL in all versions… |
| CVE-2024-11461 | MEDIUM | 6.1 | 2024-12-03 | The Form Data Collector plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 2.2.3 due to insufficie… |
| CVE-2021-24635 | MEDIUM | 5.4 | 2021-09-20 | The Visual Link Preview WordPress plugin before 2.2.3 does not enforce authorisation on several AJAX actions and has the CSRF nonce displayed for all authenticated users, allowing… |
| CVE-2023-0219 | MEDIUM | 5.4 | 2023-03-13 | The FluentSMTP WordPress plugin before 2.2.3 does not sanitize or escape email content, making it vulnerable to stored cross-site scripting attacks (XSS) when an administrator vie… |
| CVE-2024-8983 | MEDIUM | 4.8 | 2024-10-08 | Custom Twitter Feeds WordPress plugin before 2.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-… |
| CVE-2024-2428 | MEDIUM | 4.7 | 2024-04-10 | The Ultimate Video Player For WordPress WordPress plugin before 2.2.3 does not have proper capability check when updating its settings via a REST route, allowing Contributor and … |
| CVE-2007-4893 | MEDIUM | 4.3 | 2007-09-14 | wp-admin/admin-functions.php in Wordpress before 2.2.3 and Wordpress multi-user (MU) before 1.2.5a does not properly verify the unfiltered_html privilege, which allows remote atta… |
| CVE-2014-4515 | MEDIUM | 4.3 | 2014-07-01 | Cross-site scripting (XSS) vulnerability in mce_anyfont/dialog.php in the AnyFont plugin 2.2.3 and earlier for WordPress allows remote attackers to inject arbitrary web script or … |
| CVE-2014-6313 | MEDIUM | 4.3 | 2014-10-14 | Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.2.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the range paramete… |
| CVE-2021-34626 | MEDIUM | 4.3 | 2021-07-07 | A vulnerability in the deleteCustomType function of the WP Upload Restriction WordPress plugin allows low-level authenticated users to delete custom extensions added by administra… |
| CVE-2021-34627 | MEDIUM | 4.3 | 2021-07-07 | A vulnerability in the getSelectedMimeTypesByRole function of the WP Upload Restriction WordPress plugin allows low-level authenticated users to view custom extensions added by ad… |
| CVE-2023-4242 | MEDIUM | 4.3 | 2023-08-09 | The FULL - Customer plugin for WordPress is vulnerable to Information Disclosure via the /health REST route in versions up to, and including, 2.2.3 due to improper authorization. … |
| CVE-2024-12061 | MEDIUM | 4.3 | 2024-12-18 | The Events Addon for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.2.3 via the naevents_elementor_template shortcode… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 2.2.3 vulnerable plugins represent a serious security threat that requires immediate action. With 2 critical vulnerabilities and 10 high-severity flaws, your website could be compromised within days if left unpatched. The good news is that updating your plugins is a straightforward process that takes minutes to complete and significantly reduces your attack surface.
Don't wait until your site gets hacked. Use SiteRecipe.com's free vulnerability scanner to identify outdated and vulnerable plugins on your WordPress site in seconds. Our platform continuously monitors your plugins against the latest CVE databases and alerts you to security issues before hackers can exploit them. Visit SiteRecipe.com today and get a complete security audit of your WordPress installation—protect your business and your customers' data.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.