WordPress 2.9.1 contains 47 known security vulnerabilities that put your website at serious risk. Among these are 1 critical vulnerability and 13 high-severity flaws that could allow attackers to upload malicious files, execute code remotely, and steal sensitive data. If your website is still running this outdated version, immediate action is required to protect your business and your users.
This comprehensive guide will walk you through identifying whether your site is vulnerable, understanding the specific threats you face, and implementing the necessary security updates. With only 3 websites worldwide still using this version, you're likely behind on critical security patches that have been released over the years.
Our security experts have analyzed all 47 CVEs to bring you actionable steps that will take your site from vulnerable to secure in minutes.
WordPress 2.9.1 is an extremely outdated version of the world's most popular content management system, originally released in 2010. At that time, it was considered modern and feature-rich, but over a decade of security research has uncovered numerous vulnerabilities in this and all older WordPress versions. If you're still running WordPress 2.9.1, your site is operating with security standards from an era before modern cybersecurity threats existed.
Think of WordPress 2.9.1 like driving a car from 2010 without any of the safety features, security systems, and crash protection added in newer models. While the basic transportation works, you're missing critical protections that modern vehicles (and modern WordPress versions) now include as standard. Your website faces constant threats from automated bots scanning the internet for vulnerable sites, and WordPress 2.9.1 is like having a giant neon sign advertising that you're an easy target.
47 CVEs found. The most critical are explained below.
This vulnerability in the WooCommerce Help Scout plugin lets anyone upload files to your website without logging in first. Files end up in a specific folder that could be accessed or executed by attackers.
Impact: Attackers could upload malicious files that compromise your entire website, steal customer data, or take control of your site completely.
↗ View on NVDThe Paid Memberships Pro plugin has a flaw that allows basic members to manipulate database queries through shortcodes. This happens because the plugin doesn't properly filter what members can input.
Impact: Attackers with member accounts could access, steal, or delete sensitive information from your database including customer records and payment data.
↗ View on NVDThe CM Download Manager plugin is missing security verification checks called CSRF protection. This allows attackers to trick logged-in administrators into making unwanted changes.
Impact: Hackers could trick your admin into modifying or deleting downloads, or making other administrative changes without your knowledge or permission.
↗ View on NVDThe Pods plugin doesn't properly clean user input in shortcodes, allowing attackers to inject malicious database commands. This affects many versions of the plugin.
Impact: Attackers could access, modify, or delete your entire database including all customer information, products, and business-critical data.
↗ View on NVDThe Pods plugin has a critical flaw that lets contributors and other authenticated users execute malicious code on your server through shortcodes.
Impact: Anyone with contributor access or higher could completely take over your website, steal all data, or use it to attack your customers.
↗ View on NVDThe Affiliates Manager plugin doesn't properly validate affiliate registration data, allowing attackers to inject malicious code into exported spreadsheets.
Impact: When you export affiliate data to CSV, malicious code in the spreadsheet could compromise your computer or spread to other systems that open the file.
↗ View on NVDShowing first 10 of 41. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2026-27938 | HIGH | 7.7 | 2026-02-26 | WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.9.1, the `wp-graphql/wp-graphql` repository contains a GitHub Actions workflow (`release.yml`) vulnerable … |
| CVE-2024-10567 | HIGH | 7.5 | 2024-12-04 | The TI WooCommerce Wishlist plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wizard' function in all versions up t… |
| CVE-2025-0308 | HIGH | 7.5 | 2025-01-18 | The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to time-based SQL Injection v… |
| CVE-2024-13681 | HIGH | 7.5 | 2025-02-18 | The Uncode theme for WordPress is vulnerable to arbitrary file read due to insufficient input validation in the 'uncode_admin_get_oembed' function in all versions up to, and inclu… |
| CVE-2025-1648 | HIGH | 7.5 | 2025-02-25 | The Yawave plugin for WordPress is vulnerable to SQL Injection via the 'lbid' parameter in all versions up to, and including, 2.9.1 due to insufficient escaping on the user suppli… |
| CVE-2026-9290 | HIGH | 7.5 | 2026-06-06 | The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.17 via the (profile te… |
| CVE-2024-13377 | HIGH | 7.2 | 2025-01-17 | The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘alt’ parameter in all versions up to, and including, 2.9.1.3 due to insufficient input… |
| CVE-2025-4102 | HIGH | 7.2 | 2025-06-20 | The Beaver Builder Plugin (Starter Version) plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'save_enabled_icons' function i… |
| CVE-2025-13320 | MEDIUM | 6.8 | 2025-12-12 | The WP User Manager plugin for WordPress is vulnerable to Arbitrary File Deletion in all versions up to, and including, 2.9.12. This is due to insufficient validation of user-supp… |
| CVE-2024-13691 | MEDIUM | 6.5 | 2025-02-18 | The Uncode theme for WordPress is vulnerable to arbitrary file read due to insufficient input validation in the 'uncode_recordMedia' function in all versions up to, and including,… |
| CVE-2024-1996 | MEDIUM | 6.4 | 2024-03-13 | The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's IHover widget link in all versions up to, and including, 2.9.12 due to in… |
| CVE-2024-1997 | MEDIUM | 6.4 | 2024-03-13 | The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'premium_fbchat_app_id' parameter of the Messenger Chat Widget in all versions up … |
| CVE-2024-2000 | MEDIUM | 6.4 | 2024-03-13 | The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'navigation_dots' parameter of the Multi Scroll Widget in all versions up to, and … |
| CVE-2024-2237 | MEDIUM | 6.4 | 2024-03-13 | The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Global Badge module in all versions up to, and including, 2.9.12 due to insufficie… |
| CVE-2024-2238 | MEDIUM | 6.4 | 2024-03-13 | The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom Mouse Cursor module in all versions up to, and including, 2.9.12 due to ins… |
| CVE-2024-2239 | MEDIUM | 6.4 | 2024-03-13 | The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Premium Magic Scroll module in all versions up to, and including, 2.9.12 due to in… |
| CVE-2024-2458 | MEDIUM | 6.4 | 2024-04-06 | The Powerkit – Supercharge your WordPress Site plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, … |
| CVE-2024-11338 | MEDIUM | 6.4 | 2025-01-07 | The PIXNET Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gtm' and 'venue' parameters in all versions up to, and including, 2.9.10 due to insuff… |
| CVE-2022-4941 | MEDIUM | 6.3 | 2023-04-05 | The WCFM Membership plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.9.10 due to missing nonce checks on various AJAX actions. … |
| CVE-2024-13689 | MEDIUM | 6.3 | 2025-02-18 | The Uncode Core plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.9.1.6. This is due to the software allowing users to ex… |
| CVE-2019-15116 | MEDIUM | 6.1 | 2019-08-16 | The easy-digital-downloads plugin before 2.9.16 for WordPress has XSS related to IP address logging. |
| CVE-2016-10925 | MEDIUM | 6.1 | 2019-08-22 | The peters-login-redirect plugin before 2.9.1 for WordPress has XSS during the editing of redirect URLs. |
| CVE-2022-4301 | MEDIUM | 6.1 | 2023-01-09 | The Sunshine Photo Cart WordPress plugin before 2.9.15 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting. |
| CVE-2023-6632 | MEDIUM | 6.1 | 2024-01-11 | The Happy Addons for Elementor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via DOM in all versions up to and including 3.9.1.1 (versions up to 2.9.1.1 in … |
| CVE-2020-15020 | MEDIUM | 5.4 | 2020-08-31 | An issue was discovered in the Elementor plugin through 2.9.13 for WordPress. An authenticated attacker can achieve stored XSS via the Name Your Template field. |
| CVE-2024-13378 | MEDIUM | 5.4 | 2025-01-17 | The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘style_settings’ parameter in versions 2.9.0.1 up to, and including, 2.9.1.3 due to ins… |
| CVE-2024-13667 | MEDIUM | 5.4 | 2025-02-18 | The Uncode theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mle-description’ parameter in all versions up to, and including, 2.9.1.6 due to insufficient i… |
| CVE-2025-0318 | MEDIUM | 5.3 | 2025-01-18 | The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Information Exposure in al… |
| CVE-2022-2737 | MEDIUM | 4.8 | 2022-09-16 | The WP STAGING WordPress plugin before 2.9.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site … |
| CVE-2022-2799 | MEDIUM | 4.8 | 2022-09-16 | The Affiliates Manager WordPress plugin before 2.9.14 does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting att… |
| CVE-2022-3823 | MEDIUM | 4.8 | 2022-11-28 | The Beautiful Cookie Consent Banner WordPress plugin before 2.9.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perfor… |
| CVE-2024-10362 | MEDIUM | 4.8 | 2025-05-15 | The Social Media Share Buttons & Social Sharing Icons WordPress plugin before 2.9.1 does not sanitize and escape some of its settings, which could allow high-privilege users such … |
| CVE-2024-6810 | MEDIUM | 4.4 | 2025-02-26 | The Quiz Organizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.9.1 due to insufficient input sanitization and output … |
| CVE-2023-6965 | MEDIUM | 4.3 | 2024-04-09 | The Pods – Custom Content Types and Fields plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.0.10 (with the exception of 2.7.31.2… |
| CVE-2024-10216 | MEDIUM | 4.3 | 2024-11-23 | The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'add_sideb… |
| CVE-2024-10537 | MEDIUM | 4.3 | 2024-11-23 | The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the validate_user_me… |
| CVE-2025-8068 | MEDIUM | 4.3 | 2025-07-31 | The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to unauthorized modification and loss of data due to an improper capability check on the 'ajax_trash… |
| CVE-2025-8151 | MEDIUM | 4.3 | 2025-07-31 | The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.9.1 via the 'save_block_css' function. Thi… |
| CVE-2025-8401 | MEDIUM | 4.3 | 2025-07-31 | The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.1 via the 'get_post_data… |
| CVE-2026-0674 | MEDIUM | 4.3 | 2026-01-08 | Missing Authorization vulnerability in Campaign Monitor Campaign Monitor for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects… |
| CVE-2026-33290 | MEDIUM | 4.3 | 2026-03-24 | WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.10.0, an authorization flaw in updateComment allows an authenticated low-privileged user (including a cust… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
Running WordPress 2.9.1 in 2024 is like leaving your front door unlocked with a welcome sign for hackers. The 47 known vulnerabilities - especially the critical file upload flaw and remote code execution issues - create multiple pathways for attackers to compromise your website, steal customer data, or use your site to spread malware. There is no legitimate reason to remain on this version when upgrading is free, automated, and takes just minutes.
Stop gambling with your website security and take action today. SiteRecipe.com's comprehensive security scanning tool instantly identifies all vulnerabilities in your WordPress installation, prioritizes them by severity, and provides step-by-step remediation guidance. Sign up for a free security scan now to see exactly what threats your site faces - it only takes 60 seconds to get a complete vulnerability report and personalized upgrade recommendations.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.