WordPress 3.0.1 is an outdated version that poses significant security risks to your website. Our security analysis has identified 77 known vulnerabilities affecting this version, including 5 critical-severity flaws that could allow attackers to inject malicious code, steal data, or take complete control of your site. If you're still running WordPress 3.0.1, immediate action is required to protect your business and customer data.
This guide will help you identify if your site is vulnerable, understand the specific threats, and implement the necessary security fixes. We've analyzed real-world CVEs affecting WordPress 3.0.1 to provide you with actionable steps to secure your installation before attackers exploit these known weaknesses.
WordPress 3.0.1 is an extremely outdated version of WordPress released over a decade ago. WordPress is a content management system that powers over 40% of all websites on the internet, making it a frequent target for hackers. Version 3.0.1 was released in 2010 and has not received security updates since then, leaving it vulnerable to modern attack techniques. Running this version today is like leaving your front door unlocked—hackers know exactly where to find the weaknesses.
Vulnerabilities in WordPress 3.0.1 don't just affect the core software; they also extend to popular plugins like Pie Register, Kaswara Modern VC Addons, and BeyondCart Connector. These weaknesses allow attackers to inject malicious code, execute unauthorized database commands, upload dangerous files, and escalate their privileges to administrator level. Our research shows 13 websites are still running this vulnerable version, putting them at extreme risk of data breaches and ransomware attacks.
77 CVEs found. The most critical are explained below.
The Builderall Builder plugin has a vulnerability that allows hackers to inject their own code into your website. This code runs on your server with full control, letting attackers do whatever they want with your site.
Impact: Attackers could steal customer data, install malware, redirect visitors to scam sites, or completely take over your website's functionality.
↗ View on NVDThe Pie Register plugin has a flaw in how it handles invitation codes that lets hackers directly access and manipulate your database. They can read, modify, or delete sensitive information stored in your WordPress database.
Impact: Attackers could steal all your customer information, membership data, or any other sensitive data stored in your database without needing a password.
↗ View on NVDThe Kaswara Modern VC Addons plugin allows anyone to upload files to your website without permission or login. Attackers can upload harmful files like malicious code disguised as fonts.
Impact: Hackers can upload malware, backdoors, or malicious scripts that give them persistent access to your website and full control over it.
↗ View on NVDThe BeyondCart Connector plugin has weak security in how it manages access tokens, allowing attackers to forge valid credentials without needing a real login account. This gives them the same permissions as an administrator.
Impact: Attackers can gain complete control of your website, access all data, modify content, add new admin accounts, and perform any action an administrator could do.
↗ View on NVDThe Picture/Portfolio/Media Gallery plugin has a flaw that lets attackers use your website server to make requests to other websites or internal systems. Your server becomes a tool for attacking other targets.
Impact: Attackers can access internal company systems, retrieve sensitive information, attack other websites using your server, or access files that should be private.
↗ View on NVDThe Enfold theme has a documented security flaw, though specific details are limited. This is an older vulnerability from 2014 that should have been patched long ago.
Impact: The risk depends on the specific nature of the flaw, but any unpatched vulnerability leaves your site exposed to potential exploitation.
↗ View on NVDShowing first 10 of 71. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2023-0088 | HIGH | 8.8 | 2023-01-05 | The Swifty Page Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.0.1. This is due to missing or incorrect nonce validat… |
| CVE-2023-3343 | HIGH | 8.8 | 2023-07-13 | The User Registration plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 3.0.1 via deserialization of untrusted input from the 'profile-p… |
| CVE-2023-6967 | HIGH | 8.8 | 2024-04-09 | The Pods – Custom Content Types and Fields plugin for WordPress is vulnerable to SQL Injection via shortcode in all versions up to, and including, 3.0.10 (with the exception of 2.… |
| CVE-2023-6999 | HIGH | 8.8 | 2024-04-09 | The Pods – Custom Content Types and Fields plugin for WordPress is vulnerable to Remote Code Exxecution via shortcode in all versions up to, and including, 3.0.10 (with the except… |
| CVE-2024-11816 | HIGH | 8.8 | 2025-01-08 | The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to Remote Code Execution in version 3.0.11. This is due to a missing capability check on the 'wpext… |
| CVE-2025-14397 | HIGH | 8.8 | 2025-12-13 | The Postem Ipsum plugin for WordPress is vulnerable to unauthorized modification of data to Privilege Escalation due to a missing capability check on the postem_ipsum_generate_use… |
| CVE-2024-13556 | HIGH | 8.1 | 2025-02-18 | The Affiliate Links: WordPress Plugin for Link Cloaking and Link Management plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0.1 … |
| CVE-2023-4278 | HIGH | 7.5 | 2023-09-11 | The MasterStudy LMS WordPress Plugin WordPress plugin before 3.0.18 does not have proper checks in place during registration allowing anyone to register on the site as an instruct… |
| CVE-2024-11460 | HIGH | 7.5 | 2024-12-06 | The Verowa Connect plugin for WordPress is vulnerable to SQL Injection via the 'search_string' parameter in all versions up to, and including, 3.0.1 due to insufficient escaping o… |
| CVE-2024-13184 | HIGH | 7.5 | 2025-01-18 | The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to time-based SQL Injection via the Login Attempts module in all versions up to, and including,… |
| CVE-2024-11916 | HIGH | 7.4 | 2025-01-08 | The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to unauthorized modification and retrieval of data due to a missing capability check on several… |
| CVE-2024-2395 | HIGH | 7.3 | 2024-03-12 | The Bulgarisation for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.14. This is due to missing or incorrec… |
| CVE-2024-0683 | HIGH | 7.3 | 2024-03-13 | The Bulgarisation for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on several functions in all versions up to, and includ… |
| CVE-2021-4448 | HIGH | 7.3 | 2024-10-16 | The Kaswara Modern VC Addons plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.0.1 due to insufficient capability checking on various … |
| CVE-2026-3017 | HIGH | 7.2 | 2026-04-14 | The Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3… |
| CVE-2024-13626 | HIGH | 7.1 | 2025-02-17 | The VR-Frases (collect & share quotes) WordPress plugin through 3.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-… |
| CVE-2025-30796 | HIGH | 7.1 | 2025-04-01 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Extended The Ultimate WordPress Toolkit – WP Extended wpextended allows Re… |
| CVE-2025-28975 | HIGH | 7.1 | 2025-08-14 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in redqteam Alike - WordPress Custom Post Comparison alike allows Reflected XSS.… |
| CVE-2025-60075 | HIGH | 7.1 | 2025-10-29 | Cross-Site Request Forgery (CSRF) vulnerability in Allegro Marketing hpb seo plugin for WordPress hpbseo allows Reflected XSS.This issue affects hpb seo plugin for WordPress: from… |
| CVE-2022-1826 | MEDIUM | 6.5 | 2022-06-20 | The Cross-Linker WordPress plugin through 3.0.1.9 does not have CSRF check in place when creating Cross-Links, which could allow attackers to make a logged in admin perform such a… |
| CVE-2023-50891 | MEDIUM | 6.5 | 2023-12-29 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zoho Forms Form plugin for WordPress – Zoho Forms allows Stored XSS.This issu… |
| CVE-2025-62987 | MEDIUM | 6.5 | 2025-10-27 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Builderall Builderall Builder for WordPress builderall-cheetah-for-wp allows … |
| CVE-2024-9426 | MEDIUM | 6.4 | 2024-11-13 | The Aqua SVG Sprite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.0.14 due to insufficient input s… |
| CVE-2024-13578 | MEDIUM | 6.4 | 2025-02-18 | The WP-BibTeX plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'WpBibTeX' shortcode in all versions up to, and including, 3.0.1 due to insufficie… |
| CVE-2025-4963 | MEDIUM | 6.4 | 2025-05-28 | The WP Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.0.15 due to insufficient input sanit… |
| CVE-2025-4595 | MEDIUM | 6.4 | 2025-05-31 | The FastSpring plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fastspring/block-fastspringblocks-complete-product-catalog' block in all version… |
| CVE-2025-5239 | MEDIUM | 6.4 | 2025-06-06 | The Domain For Sale plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘class_name’ parameter in all versions up to, and including, 3.0.10 due to insufficie… |
| CVE-2025-11875 | MEDIUM | 6.4 | 2025-10-25 | The SpendeOnline.org plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'spendeonline' shortcode in all versions up to, and including, 3.0.1 due to… |
| CVE-2025-14275 | MEDIUM | 6.4 | 2026-01-08 | The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.0.1 due to insufficient input sanitization in the c… |
| CVE-2026-3516 | MEDIUM | 6.4 | 2026-03-21 | The Contact List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_cl_map_iframe' parameter in all versions up to, and including, 3.0.18. This is due to … |
| CVE-2020-36171 | MEDIUM | 6.1 | 2021-01-06 | The Elementor Website Builder plugin before 3.0.14 for WordPress does not properly restrict SVG uploads. |
| CVE-2022-0533 | MEDIUM | 6.1 | 2022-03-07 | The Ditty (formerly Ditty News Ticker) WordPress plugin before 3.0.15 is affected by a Reflected Cross-Site Scripting (XSS) vulnerability. |
| CVE-2022-2383 | MEDIUM | 6.1 | 2022-08-22 | The Feed Them Social WordPress plugin before 3.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting |
| CVE-2022-2532 | MEDIUM | 6.1 | 2022-08-22 | The Feed Them Social WordPress plugin before 3.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting |
| CVE-2022-2537 | MEDIUM | 6.1 | 2022-08-29 | The WooCommerce PDF Invoices & Packing Slips WordPress plugin before 3.0.1 does not sanitise and escape some parameters before outputting them back in an attributes of an admin pa… |
| CVE-2022-3149 | MEDIUM | 6.1 | 2022-10-17 | The WP Custom Cursors WordPress plugin before 3.0.1 does not have CSRF check in place when creating and editing cursors, which could allow attackers to made a logged in admin perf… |
| CVE-2024-9347 | MEDIUM | 6.1 | 2024-10-17 | The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpext-export' parameter in all versions up to, and i… |
| CVE-2024-12005 | MEDIUM | 6.1 | 2025-01-21 | The WP-BibTeX plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.1. This is due to missing or incorrect nonce validation on… |
| CVE-2024-13406 | MEDIUM | 6.1 | 2025-01-22 | The XML for Google Merchant Center plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'feed_id' parameter in all versions up to, and including, 3.0.11 du… |
| CVE-2025-0860 | MEDIUM | 6.1 | 2025-01-30 | The VR-Frases (collect & share quotes) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via several parameters in all versions up to, and including, 3.0.1 due … |
| CVE-2023-0087 | MEDIUM | 5.5 | 2023-01-05 | The Swifty Page Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘spm_plugin_options_page_tree_max_width’ parameter in versions up to, and includi… |
| CVE-2023-0446 | MEDIUM | 5.5 | 2023-01-23 | The My YouTube Channel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via its settings parameters in versions up to, and including, 3.0.12.1 due to insufficient… |
| CVE-2017-1000227 | MEDIUM | 5.4 | 2017-11-17 | Stored XSS in Salutation Responsive WordPress + BuddyPress Theme version 3.0.15 could allow logged-in users to do almost anything an admin can |
| CVE-2022-3934 | MEDIUM | 5.4 | 2022-12-12 | The FlatPM WordPress plugin before 3.0.13 does not sanitise and escape some parameters before outputting them back in pages, leading to Reflected Cross-Site Scripting which could … |
| CVE-2023-0169 | MEDIUM | 5.4 | 2023-02-13 | The Zoho Forms WordPress plugin before 3.0.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed,… |
| CVE-2024-0978 | MEDIUM | 5.3 | 2024-02-29 | The My Private Site plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0.14 via the REST API. This makes it possible for … |
| CVE-2024-1478 | MEDIUM | 5.3 | 2024-03-05 | The Maintenance Mode plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0.1 via the REST API. This makes it possible for … |
| CVE-2024-3215 | MEDIUM | 5.3 | 2024-05-02 | The Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and… |
| CVE-2024-13554 | MEDIUM | 5.3 | 2025-02-12 | The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reorder_route() f… |
| CVE-2025-0861 | MEDIUM | 4.9 | 2025-01-30 | The VR-Frases (collect & share quotes) plugin for WordPress is vulnerable to SQL Injection via several parameters in all versions up to, and including, 3.0.1 due to insufficient e… |
| CVE-2022-23979 | MEDIUM | 4.8 | 2022-01-28 | Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability discovered in Ultimate Reviews WordPress plugin (versions <= 3.0.15). |
| CVE-2022-3135 | MEDIUM | 4.8 | 2022-09-26 | The SEO Smart Links WordPress plugin through 3.0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-… |
| CVE-2023-0874 | MEDIUM | 4.8 | 2023-04-10 | The Klaviyo WordPress plugin before 3.0.10 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scr… |
| CVE-2024-9835 | MEDIUM | 4.8 | 2024-11-12 | The RSS Feed Widget WordPress plugin before 3.0.1 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cr… |
| CVE-2024-8187 | MEDIUM | 4.8 | 2025-05-15 | The Smart Post Show WordPress plugin before 3.0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-… |
| CVE-2025-12033 | MEDIUM | 4.4 | 2025-10-22 | The Simple Banner – Easily add multiple Banners/Bars/Notifications/Announcements to the top or bottom of your website plugin for WordPress is vulnerable to Stored Cross-Site Scrip… |
| CVE-2026-1266 | MEDIUM | 4.4 | 2026-01-24 | The Postalicious plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.1 due to insufficient input sanitiz… |
| CVE-2026-1302 | MEDIUM | 4.4 | 2026-01-24 | The Meta-box GalleryMeta plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.1 due to insufficient input… |
| CVE-2013-4626 | MEDIUM | 4.3 | 2013-09-26 | Cross-site scripting (XSS) vulnerability in the BackWPup plugin before 3.0.13 for WordPress allows remote attackers to inject arbitrary web script or HTML via the tab parameter to… |
| CVE-2022-3151 | MEDIUM | 4.3 | 2022-10-17 | The WP Custom Cursors WordPress plugin before 3.0.1 does not have CSRF check in place when deleting cursors, which could allow attackers to made a logged in admin delete arbitrary… |
| CVE-2023-0447 | MEDIUM | 4.3 | 2023-01-23 | The My YouTube Channel plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the clear_all_cache function in versions up to, and includin… |
| CVE-2021-4393 | MEDIUM | 4.3 | 2023-07-01 | The eCommerce Product Catalog Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.0.17. This is due to missin… |
| CVE-2023-6965 | MEDIUM | 4.3 | 2024-04-09 | The Pods – Custom Content Types and Fields plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.0.10 (with the exception of 2.7.31.2… |
| CVE-2024-3893 | MEDIUM | 4.3 | 2024-04-25 | The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the rtcl_f… |
| CVE-2024-5855 | MEDIUM | 4.3 | 2024-07-09 | The Media Hygiene: Remove or Delete Unused Images and More! plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the bulk_action_de… |
| CVE-2025-9949 | MEDIUM | 4.3 | 2025-09-20 | The Internal Links Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.1. This is due to missing or incorrect nonce … |
| CVE-2026-0687 | MEDIUM | 4.3 | 2026-01-24 | The Meta-box GalleryMeta plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mb_gallery' custom post type in all vers… |
| CVE-2026-6932 | MEDIUM | 4.3 | 2026-05-12 | The Woo Commerce Minimum Weight plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 3.0.1. This is due to missing nonce verificati… |
| CVE-2022-33191 | MEDIUM | 4.1 | 2022-07-22 | Authenticated (contributor or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in Chinmoy Paul's Testimonials plugin <= 3.0.1 at WordPress. |
| CVE-2022-33900 | MEDIUM | 4.1 | 2022-08-22 | PHP Object Injection vulnerability in Easy Digital Downloads plugin <= 3.0.1 at WordPress. |
| CVE-2010-5297 | LOW | 2.1 | 2014-01-21 | WordPress before 3.0.1, when a Multisite installation is used, permanently retains the "site administrators can add users" option once changed, which might allow remote authentica… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
Running WordPress 3.0.1 exposes your website to 77 known security vulnerabilities, including critical flaws that allow code injection, SQL injection, arbitrary file uploads, and privilege escalation attacks. These aren't theoretical risks—hackers actively exploit these known weaknesses to compromise sites, steal customer data, and deploy ransomware. The good news is that updating to the latest WordPress version eliminates most of these vulnerabilities immediately, and modern security practices keep your site protected going forward.
Don't wait for a breach to happen. Use SiteRecipe.com's comprehensive security scanning tools to identify all vulnerabilities on your WordPress site, prioritize critical fixes, and get step-by-step guidance to harden your security. Our platform scans for CVEs, outdated plugins, weak configurations, and malware—giving you complete visibility into your site's security posture. Start your free security audit at SiteRecipe.com today and protect your business from cyber attacks.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.