WordPress 3.1.2 contains a dangerous collection of 49 security vulnerabilities that put your website at serious risk. Among these threats are 2 critical-level CVEs and 13 high-severity issues that attackers actively exploit. If you're still running this outdated version, your site could be compromised through SQL injection, unauthorized access, and path traversal attacks.
This comprehensive guide will help you understand the specific threats targeting WordPress 3.1.2, identify whether your site is vulnerable, and provide step-by-step instructions to secure your installation. With 11 websites still using this version, the threat is real and immediate action is necessary.
WordPress 3.1.2 is an extremely outdated version of the world's most popular website platform, released over a decade ago. This version was surpassed by numerous major updates and security patches, making it one of the most vulnerable versions still in use today. Running WordPress 3.1.2 means your site lacks all the modern security features, performance improvements, and compatibility updates that come with current versions.
The version number itself indicates how far behind this installation is: current WordPress versions are in the 6.x range. WordPress 3.1.2 cannot receive security updates, is incompatible with modern plugins and themes, and exposes your website to every known vulnerability from that era plus new attacks discovered since its release. Continuing to use this version is like leaving your front door wide open to cybercriminals.
49 CVEs found. The most critical are explained below.
The Pie Register plugin has a serious flaw that allows attackers to directly access your WordPress database without proper authorization. This is a SQL injection vulnerability, which means hackers can write malicious code to steal or manipulate your website data.
Impact: Attackers could steal customer information, user passwords, and sensitive business data stored in your database, or modify your website content without permission.
↗ View on NVDThe Product Table for WooCommerce plugin lacks important security verification steps in its settings. This means anyone—even people not logged into your site—can make unauthorized changes to your plugin settings and inject malicious code.
Impact: Attackers could modify your product pages, inject malware, or redirect your customers to phishing sites without needing to log in to your website.
↗ View on NVDThe Survey Maker plugin allows logged-in users to inject malicious SQL commands through survey export features. An authenticated attacker can manipulate the database by inserting extra commands into normal survey operations.
Impact: Attackers with user access could steal survey data, modify records, or extract sensitive information from your WordPress database without triggering obvious alarms.
↗ View on NVDThe Ultimate Addons for Contact Form 7 plugin has a flaw that allows any logged-in user to inject unauthorized database commands through the form ID parameter. These extra commands execute alongside legitimate database queries.
Impact: Even low-privilege users (like form managers) could access restricted customer data, delete records, or modify sensitive information in your forms and database.
↗ View on NVDThe WP-BusinessDirectory plugin has a path traversal flaw that allows attackers to access files and folders outside their intended directory. This is like someone finding a secret passage to explore restricted areas of your website's file system.
Impact: Attackers could access sensitive configuration files containing database passwords, API keys, or other private data needed to fully compromise your website.
↗ View on NVDThe Gutenberg Blocks by Kadence plugin allows authenticated users to make your server fetch data from external websites they control. This Server-Side Request Forgery (SSRF) flaw tricks your server into performing actions it shouldn't.
Impact: Attackers could use your server to attack other websites, access internal services, or gather information about your network infrastructure that could lead to further attacks.
↗ View on NVDShowing first 10 of 43. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2025-9693 | HIGH | 8.0 | 2025-09-11 | The User Meta – User Profile Builder and User management plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the postI… |
| CVE-2021-34639 | HIGH | 7.5 | 2021-08-05 | Authenticated File Upload in WordPress Download Manager <= 3.1.24 allows authenticated (Author+) users to upload files with a double extension, e.g. "payload.php.png" which is exe… |
| CVE-2021-24860 | HIGH | 7.2 | 2021-11-29 | The BSK PDF Manager WordPress plugin before 3.1.2 does not validate and escape the orderby and order parameters before using them in a SQL statement, leading to a SQL injection is… |
| CVE-2021-25064 | HIGH | 7.2 | 2022-03-28 | The Wow Countdowns WordPress plugin through 3.1.2 does not sanitize user input into the 'did' parameter and uses it in a SQL statement, leading to an authenticated SQL Injection. |
| CVE-2022-33970 | HIGH | 7.2 | 2022-07-27 | Authenticated WordPress Options Change vulnerability in Biplob018 Shortcode Addons plugin <= 3.1.2 at WordPress. |
| CVE-2023-0084 | HIGH | 7.2 | 2023-03-02 | The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via text areas on forms in versions up to, and including, 3.1.2 due to… |
| CVE-2021-4358 | HIGH | 7.2 | 2023-06-07 | The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an unknown parameter in versions up to, and including, 3.1.23 due to insufficient i… |
| CVE-2016-15041 | HIGH | 7.2 | 2024-10-16 | The MainWP Dashboard – The Private WordPress Manager for Multiple Website Maintenance plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mwp_setup_purchase… |
| CVE-2025-32630 | HIGH | 7.1 | 2025-04-17 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CMSJunkie - WordPress Business Directory Plugins WP-BusinessDirectory wp-busi… |
| CVE-2015-4336 | MEDIUM | 6.5 | 2015-06-17 | cloner.functions.php in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to execute arbitrary commands via a file containing filenames with shell metachara… |
| CVE-2015-4338 | MEDIUM | 6.5 | 2015-06-17 | Static code injection vulnerability in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to inject arbitrary PHP code into the language files via a Translat… |
| CVE-2021-34638 | MEDIUM | 6.5 | 2021-08-05 | Authenticated Directory Traversal in WordPress Download Manager <= 3.1.24 allows authenticated (Contributor+) users to obtain sensitive configuration file information, as well as … |
| CVE-2024-0679 | MEDIUM | 6.5 | 2024-01-20 | The ColorMag theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the plugin_action_callback() function in all versions up to, and includi… |
| CVE-2025-3775 | MEDIUM | 6.5 | 2025-04-25 | The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to Server-Side Request For… |
| CVE-2024-12023 | MEDIUM | 6.5 | 2025-05-02 | The FULL – Cliente plugin for WordPress is vulnerable to SQL Injection via the 'formId' parameter in all versions 3.1.5 to 3.1.25 due to insufficient escaping on the user supplied… |
| CVE-2026-3138 | MEDIUM | 6.5 | 2026-03-24 | The Product Filter for WooCommerce by WBW plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check in all versions up to, and including, 3.1.… |
| CVE-2023-4890 | MEDIUM | 6.4 | 2023-09-12 | The JQuery Accordion Menu Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'dcwp-jquery-accordion' shortcode in versions up to, and including, 3.1.2 du… |
| CVE-2024-1946 | MEDIUM | 6.4 | 2024-04-02 | The Genesis Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the block content in all versions up to, and including, 3.1.2 due to insufficient input sa… |
| CVE-2024-3650 | MEDIUM | 6.4 | 2024-05-02 | The ElementsKit Elementor addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Accordion widget in all versions 3.0.7 through 3.1.2 due to insuff… |
| CVE-2024-4615 | MEDIUM | 6.4 | 2024-06-13 | The Elespare – Blog, Magazine and Newspaper Addons for Elementor with Templates, Widgets, Kits, and Header/Footer Builder. One Click Import: No Coding Required! plugin for WordPre… |
| CVE-2025-5096 | MEDIUM | 6.4 | 2025-05-23 | The TablePress plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the 'data-caption', 'data-s-content-padding', 'data-s-title', and 'data-footer' data… |
| CVE-2026-1922 | MEDIUM | 6.4 | 2026-02-10 | The The Events Calendar Shortcode & Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `ecs-list-events` shortcode `message` attribute in all… |
| CVE-2026-4085 | MEDIUM | 6.4 | 2026-04-22 | The Easy Social Photos Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wrapper_class' shortcode attribute of the 'my-instagram-feed' shortcode i… |
| CVE-2016-10878 | MEDIUM | 6.1 | 2019-08-12 | The wp-google-map-plugin plugin before 3.1.2 for WordPress has XSS. |
| CVE-2021-24923 | MEDIUM | 6.1 | 2022-01-24 | The Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue WordPress plugin before 3.1.25 does not escape the sib-statistics-date parameter before outputting it back … |
| CVE-2022-1474 | MEDIUM | 6.1 | 2022-07-11 | The WP Event Manager WordPress plugin before 3.1.28 does not sanitise and escape its search before outputting it back in an attribute on the event dashboard, leading to a Reflecte… |
| CVE-2023-2803 | MEDIUM | 6.1 | 2023-08-14 | The Ultimate Addons for Contact Form 7 WordPress plugin before 3.1.29 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-… |
| CVE-2023-4148 | MEDIUM | 6.1 | 2023-09-25 | The Ditty WordPress plugin before 3.1.25 does not sanitise and escape some parameters and generated URLs before outputting them back in attributes, leading to Reflected Cross-Site… |
| CVE-2024-9211 | MEDIUM | 6.1 | 2024-10-11 | The FULL – Cliente plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL … |
| CVE-2024-10519 | MEDIUM | 6.1 | 2024-11-23 | The Wishlist for WooCommerce: Multi Wishlists Per Customer PRO plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wtab' parameter in versions 3.0.8 to 3… |
| CVE-2024-12128 | MEDIUM | 6.1 | 2024-12-07 | The Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘monthly_sales_current_year’ p… |
| CVE-2020-7108 | MEDIUM | 5.4 | 2020-01-16 | The LearnDash LMS plugin before 3.1.2 for WordPress allows XSS via the ld-profile search field. |
| CVE-2023-2899 | MEDIUM | 5.4 | 2023-06-19 | The Google Map Shortcode WordPress plugin through 3.1.2 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow us… |
| CVE-2023-4799 | MEDIUM | 5.4 | 2023-11-20 | The Magic Embeds WordPress plugin before 3.1.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embe… |
| CVE-2024-12253 | MEDIUM | 5.4 | 2024-12-07 | The Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'save_se… |
| CVE-2024-13844 | MEDIUM | 4.9 | 2025-03-08 | The Post SMTP plugin for WordPress is vulnerable to generic SQL Injection via the ‘columns’ parameter in all versions up to, and including, 3.1.2 due to insufficient escaping on t… |
| CVE-2021-24810 | MEDIUM | 4.8 | 2022-03-07 | The WP Event Manager WordPress plugin before 3.1.23 does not escape some of its Field Editor settings when outputting them, allowing high privilege users to perform Cross-Site Scr… |
| CVE-2021-36866 | MEDIUM | 4.8 | 2022-06-02 | Authenticated (author or higher role) Stored Cross-Site Scripting (XSS) vulnerability in Fatcat Apps Easy Pricing Tables plugin <= 3.1.2 at WordPress. |
| CVE-2022-1990 | MEDIUM | 4.8 | 2022-06-27 | The Nested Pages WordPress plugin before 3.1.21 does not escape and sanitize the some of its settings, which could allow high privilege users to perform Stored Cross-Site Scriptin… |
| CVE-2023-3245 | MEDIUM | 4.8 | 2023-07-17 | The Floating Chat Widget WordPress plugin before 3.1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cr… |
| CVE-2023-2802 | MEDIUM | 4.8 | 2023-08-14 | The Ultimate Addons for Contact Form 7 WordPress plugin before 3.1.29 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to pe… |
| CVE-2025-13737 | MEDIUM | 4.3 | 2025-11-28 | The Nextend Social Login and Register plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.21. This is due to missing or inco… |
| CVE-2015-4337 | LOW | 3.5 | 2015-06-17 | Cross-site scripting (XSS) vulnerability in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the excl_manual par… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 3.1.2 is dangerously outdated and should never run a live website. The 49 vulnerabilities, especially the 2 critical CVEs allowing SQL injection and unauthorized access, make this version a prime target for attackers. Upgrading to the latest WordPress version is not optional—it's essential for protecting your data, your visitors' information, and your business reputation.
Don't wait for a breach to force your hand. Use SiteRecipe.com's comprehensive vulnerability scanner today to identify all security threats on your website, get detailed remediation guidance, and monitor your site's security ongoing. Our platform makes it simple to check your WordPress version, understand your vulnerabilities, and fix them fast. Visit SiteRecipe.com now and take control of your website security.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.