WordPress 3.2.1 is an outdated version that contains 71 known security vulnerabilities, including 2 critical flaws that could compromise your entire website. If you're still running this ancient version, your site is at serious risk of being hacked, having malware injected, or experiencing data breaches. This guide will help you identify if you're vulnerable and take immediate action to protect your business.
Our security research team discovered that 28 websites are still using this vulnerable version, making them prime targets for cybercriminals. The vulnerabilities range from SQL injection attacks that can steal your database to file upload exploits that allow attackers to run malicious code on your server. Every day you wait increases the risk of a devastating security incident.
WordPress 3.2.1 is an extremely outdated version of WordPress, the world's most popular website platform. Released over a decade ago, this version is no longer supported by the WordPress security team, meaning new vulnerabilities are discovered regularly but never patched. Running such an old version is like leaving your front door unlocked—attackers know exactly where to look for security holes.
When WordPress was at version 3.2.1, the internet looked completely different. This version lacks modern security features, doesn't have protection against sophisticated attacks, and relies on plugins that themselves contain dangerous flaws. The longer you stay on this version, the more likely your site will be targeted by automated hacking tools that specifically exploit these well-known vulnerabilities.
71 CVEs found. The most critical are explained below.
The Companion Auto-Update plugin has a security weakness that allows hackers to access files on your server they shouldn't be able to see. This happens through a technique called 'local file inclusion' where attackers can request sensitive files directly.
Impact: Attackers could read your configuration files containing database passwords, user information, and other sensitive data that could compromise your entire website.
↗ View on NVDThe Imagely NextGEN Gallery plugin contains a SQL injection vulnerability, which is like leaving a door open to your database. Hackers can write malicious commands that directly manipulate your website's database.
Impact: Attackers could steal all your website data, modify content, create fake admin accounts, or completely corrupt your database without needing to log in.
↗ View on NVDThe WP SVG Icons plugin allows hackers to trick website administrators into uploading dangerous files disguised as icon files. The plugin doesn't properly validate what files can be uploaded.
Impact: Attackers could upload hidden code that gives them control over your website, allowing them to steal data, redirect visitors, or take the site offline completely.
↗ View on NVDThe Companion Auto-Update plugin lacks CSRF (Cross-Site Request Forgery) protection, meaning hackers can trick logged-in administrators into performing unauthorized actions without their knowledge.
Impact: Without your permission, attackers could change plugin settings, install malicious code, or modify your website's critical configurations through your own admin account.
↗ View on NVDAccessPress Themes plugins have a missing security check that fails to verify if someone should be allowed to upload files. This is like having a security guard who doesn't check credentials at the door.
Impact: Any visitor could upload malicious files to your server and execute code, giving them the ability to take over your website completely.
↗ View on NVDThe Simple JWT Login plugin doesn't properly verify that an administrator actually intended to change security settings. Hackers can trick admins into unknowingly changing critical security configurations.
Impact: Attackers could change your login security settings, disable account verification, or promote attacker accounts to admin level, leading to complete website takeover.
↗ View on NVDShowing first 10 of 65. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2023-2628 | HIGH | 8.8 | 2023-06-27 | The KiviCare WordPress plugin before 3.2.1 does not have CSRF checks (either flawed or missing completely) in various AJAX actions, which could allow attackers to make logged in u… |
| CVE-2024-5343 | HIGH | 8.8 | 2024-06-19 | The Photo Gallery, Images, Slider in Rbs Image Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.19. This is due t… |
| CVE-2025-14844 | HIGH | 8.2 | 2026-01-16 | The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the 'rcp_stripe_create_setup… |
| CVE-2024-12313 | HIGH | 8.1 | 2025-01-07 | The Compare Products for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.1 via deserialization of untrusted input … |
| CVE-2026-1321 | HIGH | 8.1 | 2026-03-05 | The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.2.20. This is due to the `rcp_setup_reg… |
| CVE-2018-20980 | HIGH | 7.5 | 2019-08-22 | The ninja-forms plugin before 3.2.15 for WordPress has parameter tampering. |
| CVE-2024-11939 | HIGH | 7.5 | 2025-01-08 | The Cost Calculator Builder PRO plugin for WordPress is vulnerable to blind time-based SQL Injection via the ‘data’ parameter in all versions up to, and including, 3.2.15 due to i… |
| CVE-2025-12707 | HIGH | 7.5 | 2026-02-19 | The Library Management System plugin for WordPress is vulnerable to SQL Injection via the 'bid' parameter in all versions up to, and including, 3.2.1 due to insufficient escaping … |
| CVE-2021-24483 | HIGH | 7.2 | 2021-08-02 | The get_poll_categories(), get_polls() and get_reports() functions in the Poll Maker WordPress plugin before 3.2.1 did not use whitelist or validate the orderby parameter before u… |
| CVE-2024-9504 | HIGH | 7.2 | 2024-11-26 | The Booking calendar, Appointment Booking System plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.2.1… |
| CVE-2022-2091 | MEDIUM | 6.5 | 2022-07-11 | The Cache Images WordPress plugin before 3.2.1 does not implement nonce checks, which could allow attackers to make any logged user upload images via a CSRF attack. |
| CVE-2023-2623 | MEDIUM | 6.5 | 2023-06-27 | The KiviCare WordPress plugin before 3.2.1 does not restrict the information returned in a response and returns all user data, allowing low privilege users such as subscriber to r… |
| CVE-2023-5334 | MEDIUM | 6.4 | 2023-10-03 | The WP Responsive header image slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'sp_responsiveslider' shortcode in versions up to, and including, 3.2.1… |
| CVE-2024-3894 | MEDIUM | 6.4 | 2024-06-19 | The Photo Gallery, Images, Slider in Rbs Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an Image Title in all versions up to, and including, 3… |
| CVE-2024-5424 | MEDIUM | 6.4 | 2024-06-28 | The Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery plugin for WordPress is vulnerable to Stored Cross-Si… |
| CVE-2024-3896 | MEDIUM | 6.4 | 2024-07-24 | The Photo Gallery, Images, Slider in Rbs Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the Gallery title field in all versions up to, and… |
| CVE-2024-4633 | MEDIUM | 6.4 | 2024-12-06 | The Slider and Carousel slider by Depicter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘addExtraMimeType’ function in versions up to, and including, … |
| CVE-2024-13658 | MEDIUM | 6.4 | 2025-02-12 | The NGG Smart Image Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'hr_SIS_nextgen_searchbox' shortcode in all versions up to, and inclu… |
| CVE-2025-5122 | MEDIUM | 6.4 | 2025-05-29 | The Map Block Leaflet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 3.2.1 due to insufficient inp… |
| CVE-2025-7046 | MEDIUM | 6.4 | 2025-07-04 | The Portfolio for Elementor & Image Gallery | PowerFolio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom JS Attributes of Plugin's widgets in all … |
| CVE-2025-7367 | MEDIUM | 6.4 | 2025-07-15 | The Strong Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Testimonial Custom Fields in all versions up to, and including, 3.2.11 due to ins… |
| CVE-2025-4684 | MEDIUM | 6.4 | 2025-08-01 | The BlockSpare: Gutenberg Blocks & Patterns for Blogs, Magazines, Business Sites – Post Grids, Sliders, Carousels, Counters, Page Builder & Starter Site Imports, No Coding Needed … |
| CVE-2025-14000 | MEDIUM | 6.4 | 2025-12-23 | The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'register_form' and 'restrict' shortcodes in all versio… |
| CVE-2025-12122 | MEDIUM | 6.4 | 2026-02-18 | The Popup Box – Easily Create WordPress Popups plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'iframeBox' shortcode in all versions up to, and … |
| CVE-2026-0556 | MEDIUM | 6.4 | 2026-02-19 | The XO Event Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'xo_event_field' shortcode in all versions up to, and including, 3.2.10 du… |
| CVE-2018-7280 | MEDIUM | 6.1 | 2018-02-21 | The Ninja Forms plugin before 3.2.14 for WordPress has XSS. |
| CVE-2021-24984 | MEDIUM | 6.1 | 2021-12-27 | The WPFront User Role Editor WordPress plugin before 3.2.1.11184 does not sanitise and escape the changes-saved parameter before outputting it back in the admin dashboard, leading… |
| CVE-2022-1904 | MEDIUM | 6.1 | 2022-06-27 | The Pricing Tables WordPress Plugin WordPress plugin before 3.2.1 does not sanitise and escape parameter before outputting it back in a page available to any user (both authentica… |
| CVE-2023-2624 | MEDIUM | 6.1 | 2023-06-27 | The KiviCare WordPress plugin before 3.2.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could … |
| CVE-2023-1119 | MEDIUM | 6.1 | 2023-07-10 | The WP-Optimize WordPress plugin before 3.2.13, SrbTransLatin WordPress plugin before 2.4.1 use a third-party library that removes the escaping on some HTML characters, leading to… |
| CVE-2024-12257 | MEDIUM | 6.1 | 2024-12-07 | The CardGate Payments for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 3.2.1 due… |
| CVE-2024-12435 | MEDIUM | 6.1 | 2025-01-07 | The Compare Products for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘s_feature’ parameter in all versions up to, and including, 3.2.1… |
| CVE-2024-12077 | MEDIUM | 6.1 | 2025-01-07 | The Booking Calendar and Booking Calendar Pro plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the ‘calendar_id’ parameter in all versions up to, and inc… |
| CVE-2025-12410 | MEDIUM | 6.1 | 2025-11-04 | The SH Contextual Help plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.1. This is due to missing or incorrect nonce vali… |
| CVE-2019-14680 | MEDIUM | 5.7 | 2019-08-08 | The admin-renamer-extended (aka Admin renamer extended) plugin 3.2.1 for WordPress allows wp-admin/plugins.php?page=admin-renamer-extended/admin.php CSRF. |
| CVE-2021-24927 | MEDIUM | 5.4 | 2021-11-29 | The My Calendar WordPress plugin before 3.2.18 does not sanitise and escape the callback parameter of the mc_post_lookup AJAX action (available to any authenticated user) before o… |
| CVE-2024-3956 | MEDIUM | 5.4 | 2024-05-14 | The Pods – Custom Content Types and Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Pod Form widget in all versions up to, and including, 3.2.1 du… |
| CVE-2023-0085 | MEDIUM | 5.3 | 2023-03-02 | The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to reCaptcha Bypass in versions up to, and including, 3.2.1. This is due to insufficient server side … |
| CVE-2024-2106 | MEDIUM | 5.3 | 2024-03-13 | The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to Information Exposure in versions up to, and including, 3.2.10. This c… |
| CVE-2024-2795 | MEDIUM | 5.3 | 2024-06-28 | The SEO SIMPLE PACK plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.2.1 via META description. This makes it possible for unauthe… |
| CVE-2024-6687 | MEDIUM | 5.3 | 2024-08-01 | The CTT Expresso para WooCommerce plugin for WordPress is vulnerable to sensitive information exposure in all versions up to and including 3.2.12 via the /wp-content/uploads/cepw … |
| CVE-2024-6010 | MEDIUM | 5.3 | 2024-09-07 | The Cost Calculator Builder PRO plugin for WordPress is vulnerable to price manipulation in all versions up to, and including, 3.2.1. This is due to the plugin allowing the price … |
| CVE-2024-12028 | MEDIUM | 5.3 | 2024-12-06 | The Friends plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several REST API endpoints in all versions up to, and including, 3.2.1. … |
| CVE-2024-11008 | MEDIUM | 5.3 | 2024-12-11 | The Members – Membership & User Role Editor Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.10 via the WordPr… |
| CVE-2024-11090 | MEDIUM | 5.3 | 2025-01-26 | The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.13 via the WordPress core s… |
| CVE-2025-1507 | MEDIUM | 5.3 | 2025-03-14 | The ShareThis Dashboard for Google Analytics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_actions() func… |
| CVE-2021-24773 | MEDIUM | 4.8 | 2021-11-01 | The WordPress Download Manager WordPress plugin before 3.2.16 does not escape some of the Download settings when outputting them, allowing high privilege users to perform XSS atta… |
| CVE-2022-0840 | MEDIUM | 4.8 | 2022-04-11 | The Easy Social Icons WordPress plugin before 3.2.1 does not properly escape the image_file field when adding a new social icon, allowing high privileged users to inject arbitrary… |
| CVE-2022-1645 | MEDIUM | 4.8 | 2022-05-30 | The Amazon Link WordPress plugin through 3.2.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scrip… |
| CVE-2023-3499 | MEDIUM | 4.8 | 2023-09-04 | The Photo Gallery, Images, Slider in Rbs Image Gallery WordPress plugin before 3.2.16 does not sanitise and escape some of its settings, which could allow high privilege users suc… |
| CVE-2025-0718 | MEDIUM | 4.8 | 2025-03-23 | The Nested Pages WordPress plugin before 3.2.13 does not sanitise and escape some of its settings, which could allow high privilege users such as contributors to perform Stored Cr… |
| CVE-2024-6478 | MEDIUM | 4.8 | 2025-05-15 | The CTT Expresso para WooCommerce WordPress plugin before 3.2.13 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform… |
| CVE-2025-4567 | MEDIUM | 4.8 | 2025-06-03 | The Post Slider and Post Carousel with Post Vertical Scrolling Widget WordPress plugin before 3.2.10 does not validate and escape some of its Widget options before outputting the… |
| CVE-2024-0598 | MEDIUM | 4.4 | 2024-04-09 | The Gutenberg Blocks by Kadence Blocks – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the contact form message settings in all versi… |
| CVE-2024-6011 | MEDIUM | 4.4 | 2024-07-02 | The Cost Calculator Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘textarea.description’ parameter in all versions up to, and including, 3.2.12… |
| CVE-2026-1304 | MEDIUM | 4.4 | 2026-02-18 | The Membership Plugin – Restrict Content for WordPress is vulnerable to Stored Cross-Site Scripting via multiple invoice settings fields in all versions up to, and including, 3.2.… |
| CVE-2014-6312 | MEDIUM | 4.3 | 2014-10-15 | Cross-site request forgery (CSRF) vulnerability in the Login Widget With Shortcode (login-sidebar-widget) plugin before 3.2.1 for WordPress allows remote attackers to hijack the a… |
| CVE-2023-2627 | MEDIUM | 4.3 | 2023-06-27 | The KiviCare WordPress plugin before 3.2.1 does not have proper CSRF and authorisation checks in various AJAX actions, allowing any authenticated users, such as subscriber to call… |
| CVE-2021-4394 | MEDIUM | 4.3 | 2023-07-01 | The Locations plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.2.1. This is due to missing or incorrect nonce validation on the… |
| CVE-2024-2931 | MEDIUM | 4.3 | 2024-04-02 | The WPFront User Role Editor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.1.11184 via the wpfront_user_role_edito… |
| CVE-2024-1904 | MEDIUM | 4.3 | 2024-04-09 | The MasterStudy LMS plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the search_posts function in all versions up to, and inc… |
| CVE-2024-6012 | MEDIUM | 4.3 | 2024-07-02 | The Cost Calculator Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'embed-create-page' and 'embed-insert-… |
| CVE-2025-11268 | MEDIUM | 4.3 | 2025-11-06 | The Strong Testimonials plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.2.16. This is due to the software allowing user… |
| CVE-2025-12901 | MEDIUM | 4.3 | 2025-11-12 | The Asgaros Forum plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.1. This is due to missing nonce validation on the set_… |
| CVE-2025-14426 | MEDIUM | 4.3 | 2025-12-30 | The Strong Testimonials plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'edit_rating' function in all versions up … |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 3.2.1 is dangerously outdated and puts your business at extreme risk. With 71 known vulnerabilities including critical SQL injection and file upload flaws, staying on this version is essentially inviting hackers into your website. The good news is that updating is straightforward and takes less than an hour—far less time than recovering from a security breach would take.
Don't wait for a breach to happen. Use SiteRecipe.com to scan your website right now and identify all security vulnerabilities, outdated software, and potential attack vectors. Our platform will give you a detailed security report and step-by-step remediation guidance. Sign up for a free scan today and get peace of mind knowing your website is protected against the threats targeting WordPress 3.2.1 users.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.