WordPress 2.9.2 is an outdated version that contains 18 known security vulnerabilities, including 2 critical-level threats that could compromise your entire website. If your site is still running this version, you're at serious risk of data breaches, unauthorized access, and malware infections. This guide will help you understand these vulnerabilities and take immediate action to protect your WordPress installation.
Our security analysis has identified that approximately 10 websites are still using this vulnerable version. Attackers actively target outdated WordPress installations because they know exactly which exploits will work. The vulnerabilities range from arbitrary file uploads to authentication bypass attacks—all of which could give hackers complete control of your site.
WordPress 2.9.2 was released in 2009 and is one of the oldest WordPress versions still occasionally found on the internet. It's a legacy version that predates many modern security features and best practices. Think of it like running an old car without safety features—it might still technically work, but it's extremely dangerous compared to modern alternatives.
This version of WordPress reached end-of-life over a decade ago, meaning it no longer receives security updates or patches from the WordPress development team. Without these updates, any vulnerability discovered afterward remains unfixed, creating a window of opportunity for cybercriminals. If you're running WordPress 2.9.2, your site is essentially an open target for attackers using well-known exploit techniques.
18 CVEs found. The most critical are explained below.
The WooCommerce Ultimate Gift Card plugin has a security flaw that allows anyone to upload files to your website without permission. This happens because the plugin doesn't properly check what type of files are being uploaded.
Impact: Attackers could upload malicious files that give them complete control of your website, steal customer data, or use your site to attack others.
↗ View on NVDThe Gravity Forms plugin fails to validate file types properly, allowing attackers to upload any file they want to your server. This is a critical security gap that affects all versions up to 2.9.20.
Impact: Your website could be compromised with malicious code, leading to data breaches, website defacement, or complete system takeover by criminals.
↗ View on NVDThis plugin is missing security protection against CSRF (Cross-Site Request Forgery) attacks. Attackers can trick logged-in users into performing unwanted actions without their knowledge.
Impact: Hackers could manipulate your admin users into changing settings, creating accounts, or performing other dangerous actions on your site.
↗ View on NVDThe Royal Core plugin doesn't properly check user permissions on backup restoration functions. This means lower-level users could potentially promote themselves to administrator level.
Impact: Attackers with basic user accounts could escalate their access to full admin control, giving them complete control over your website and customer data.
↗ View on NVDThe JobSearch WP Job Board plugin has flaws in how it handles social login authentication (Google, Xing). These flaws allow attackers to bypass normal login requirements and access accounts without passwords.
Impact: Attackers could access user accounts without credentials, impersonate job seekers or employers, and steal sensitive information from your job board.
↗ View on NVDGravity Forms has a second critical file upload flaw in its legacy upload system. The blacklist that blocks dangerous file types is missing .phar files, which can execute code on your server.
Impact: Attackers can upload executable files that run malicious code directly on your server, potentially compromising your entire website and customer information.
↗ View on NVDShowing first 10 of 12. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2025-13407 | MEDIUM | 6.8 | 2025-12-24 | The Gravity Forms WordPress plugin before 2.9.23.1 does not properly prevent users from uploading dangerous files through its chunked upload functionality, allowing attackers to u… |
| CVE-2015-9441 | MEDIUM | 6.5 | 2019-09-26 | The bookmarkify plugin 2.9.2 for WordPress has CSRF with resultant XSS via wp-admin/options-general.php?page=bookmarkify.php. |
| CVE-2024-11439 | MEDIUM | 6.4 | 2024-12-18 | The ScanCircle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'scancircle' shortcode in all versions up to, and including, 2.9.2 due to insuffi… |
| CVE-2024-13391 | MEDIUM | 6.4 | 2025-01-18 | The MicroPayments – Fans Paysite: Paid Creator Subscriptions, Digital Assets, Tokens Wallet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'vid… |
| CVE-2025-8427 | MEDIUM | 6.4 | 2025-10-23 | The Beaver Builder Plugin (Starter Version) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘auto_play’ parameter in all versions up to, and including, 2… |
| CVE-2026-3492 | MEDIUM | 6.4 | 2026-03-11 | The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.9.28.1. This is due to a compound failure involving mis… |
| CVE-2025-8897 | MEDIUM | 6.1 | 2025-08-28 | The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘'fl_builder' parameter in all versions up to, and includi… |
| CVE-2023-4968 | MEDIUM | 5.5 | 2023-10-20 | The WPLegalPages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'wplegalpage' shortcode in versions up to, and including, 2.9.2 due to insufficient input sa… |
| CVE-2024-1984 | MEDIUM | 5.3 | 2024-04-09 | The Graphene theme for WordPress is vulnerable to unauthorized access of data via meta tag in all versions up to, and including, 2.9.2. This makes it possible for unauthenticated … |
| CVE-2024-12276 | MEDIUM | 5.3 | 2025-02-21 | The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to second-order SQL Injection… |
| CVE-2011-3818 | MEDIUM | 5.0 | 2011-09-24 | WordPress 2.9.2 and 3.0.4 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as … |
| CVE-2010-0682 | MEDIUM | 4.0 | 2010-02-23 | WordPress 2.9 before 2.9.2 allows remote authenticated users to read trash posts from other authors via a direct request with a modified p parameter. |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
Running WordPress 2.9.2 puts your website at extreme risk. The 2 critical vulnerabilities alone could allow attackers to upload malicious files or bypass authentication entirely, potentially stealing customer data, injecting malware, or destroying your site completely. Updating to a modern WordPress version is not optional—it's essential for the security and credibility of your online presence.
Don't wait for a breach to happen. Use SiteRecipe.com's comprehensive WordPress security scanner today to identify all vulnerabilities on your site and get step-by-step guidance on fixing them. Our platform makes it easy to understand security risks in plain English and provides automated fixes for common issues. Protect your WordPress site now—your customers and your business depend on it.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.