WordPress 3.3.1 contains 58 documented security vulnerabilities that put thousands of websites at serious risk. With 5 critical-severity flaws and 13 high-severity issues, this outdated version leaves your site vulnerable to remote code execution, arbitrary file uploads, and authentication bypass attacks. If you're still running WordPress 3.3.1, immediate action is required to protect your data and your visitors.
This comprehensive guide walks you through identifying whether your site is affected, understanding the specific threats you face, and implementing the fixes needed to secure your WordPress installation. Whether you're a business owner or web administrator, understanding these vulnerabilities is essential for maintaining a safe online presence.
WordPress 3.3.1 is an extremely outdated version of WordPress, released over a decade ago. It's a content management system that helps people build and manage websites without needing to write code. However, this ancient version was never designed to defend against modern cyber threats and attackers have had years to discover and exploit its weaknesses.
Today, WordPress 3.3.1 is effectively abandoned by its creators with no security updates or patches being released. This means any vulnerability discovered—and 58 have been found—will never be fixed by the WordPress team. Operating a website on this version is like leaving your front door unlocked while advertising that you have valuable items inside.
58 CVEs found. The most critical are explained below.
The Visualizer plugin has a hidden vulnerability that allows attackers to trick your website into accessing internal systems or data it shouldn't be able to reach. This happens through a specific upload feature that doesn't properly validate requests.
Impact: Attackers could potentially access sensitive internal information about your server, database, or connected systems without being noticed.
↗ View on NVDThe YITH WooCommerce Gift Cards Premium plugin doesn't properly check what files are being uploaded to your website. This allows attackers to upload malicious code that runs on your server.
Impact: Attackers could take complete control of your website, steal customer data, inject malware, or use your server for their own purposes.
↗ View on NVDThe MasterStudy LMS plugin doesn't properly verify user permissions when someone tries to register. An attacker could manipulate the registration process to gain admin-level access without proper credentials.
Impact: Attackers could become administrators of your site and modify content, access student data, or compromise your entire platform.
↗ View on NVDThe Workreap freelance marketplace plugin doesn't properly verify user identity during account verification. Attackers could bypass the login process entirely and access any user account.
Impact: Attackers could impersonate freelancers, clients, or administrators, accessing confidential project details, payments, and user information.
↗ View on NVDThe ELEX HelpDesk plugin doesn't check what type of files customers can upload when creating support tickets. This lets attackers upload executable files instead of legitimate documents.
Impact: Attackers could upload malicious files that execute on your server, giving them control over your website and customer support data.
↗ View on NVDThe Go Pricing plugin improperly processes data from pricing table shortcodes. Authenticated users (even basic subscribers) could inject malicious code through this feature.
Impact: Attackers could execute arbitrary code, modify pricing tables, steal customer data, or inject malware visible to your site visitors.
↗ View on NVDShowing first 10 of 52. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2025-3404 | HIGH | 8.8 | 2025-04-19 | The Download Manager plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the savePackage function in all versions up to, and … |
| CVE-2018-16308 | HIGH | 8.6 | 2018-09-01 | The Ninja Forms plugin before 3.3.14.1 for WordPress allows CSV injection. |
| CVE-2021-25094 | HIGH | 8.1 | 2022-04-25 | The Tatsu WordPress plugin before 3.3.12 add_custom_font action can be used without prior authentication to upload a rogue zip file which is uncompressed under the WordPress's upl… |
| CVE-2024-7624 | HIGH | 8.1 | 2024-08-15 | The Zephyr Project Manager plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 3.3.101. This is due to the plugin not properly… |
| CVE-2011-4899 | HIGH | 7.5 | 2012-01-30 | wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not ensure that the specified MySQL database service is appropriate, which allows remot… |
| CVE-2025-1764 | HIGH | 7.5 | 2025-03-14 | The LoginPress | wp-login Custom Login Page Customizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.1. This is due to… |
| CVE-2021-24511 | HIGH | 7.2 | 2021-09-20 | The fetch_product_ajax functionality in the Product Feed on WooCommerce WordPress plugin before 3.3.1.0 uses a `product_id` POST parameter which is not properly sanitised, escaped… |
| CVE-2022-0889 | HIGH | 7.2 | 2022-03-23 | The Ninja Forms - File Uploads Extension WordPress plugin is vulnerable to reflected cross-site scripting due to missing sanitization of the files filename parameter found in the … |
| CVE-2023-2607 | HIGH | 7.2 | 2023-06-09 | The Multiple Page Generator Plugin for WordPress is vulnerable to time-based SQL Injection via the orderby and order parameters in versions up to, and including, 3.3.17 due to ins… |
| CVE-2024-1596 | HIGH | 7.2 | 2024-09-07 | The Ninja Forms - File Uploads plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an uploaded file (e.g. RTX file) in all versions up to, and including, 3.3.16 … |
| CVE-2025-7050 | HIGH | 7.2 | 2025-08-05 | The Use-your-Drive | Google Drive plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter in file metadata in all versions… |
| CVE-2023-2496 | HIGH | 7.1 | 2023-05-24 | The Go Pricing - WordPress Responsive Pricing Tables plugin for WordPress is vulnerable to unauthorized arbitrary file uploads due to an improper capability check on the 'validate… |
| CVE-2012-1936 | MEDIUM | 6.8 | 2012-05-03 | The wp_create_nonce function in wp-includes/pluggable.php in WordPress 3.3.1 and earlier associates a nonce with a user account instead of a user session, which might make it easi… |
| CVE-2023-0688 | MEDIUM | 6.5 | 2023-06-09 | The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_thankyou' shortcode in versions up to, and including, 3.3.1. This allo… |
| CVE-2023-0693 | MEDIUM | 6.5 | 2023-06-09 | The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_transaction_id' shortcode in versions up to, and including, 3.3.1. Thi… |
| CVE-2023-0694 | MEDIUM | 6.5 | 2023-06-09 | The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf' shortcode in versions up to, and including, 3.3.1. This allows authen… |
| CVE-2023-2498 | MEDIUM | 6.4 | 2023-05-24 | The Go Pricing - WordPress Responsive Pricing Tables plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 3.3.19 due … |
| CVE-2023-5234 | MEDIUM | 6.4 | 2023-11-22 | The Related Products for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'woo-related' shortcode in versions up to, and including, 3.3.15 due to … |
| CVE-2024-5192 | MEDIUM | 6.4 | 2024-06-29 | The Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels, Order Bumps & One Click Upsells plugin for WordPress is vulnerable to S… |
| CVE-2024-7356 | MEDIUM | 6.4 | 2024-08-03 | The Zephyr Project Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘filename’ parameter in all versions up to, and including, 3.3.100 due to insu… |
| CVE-2024-8989 | MEDIUM | 6.4 | 2024-10-01 | The Free Responsive Testimonials, Social Proof Reviews, and Customer Reviews – Stars Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin'… |
| CVE-2025-4367 | MEDIUM | 6.4 | 2025-06-19 | The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpdm_user_dashboard shortcode in all versions up to, and including, 3.3.18 … |
| CVE-2018-19287 | MEDIUM | 6.1 | 2018-11-15 | XSS in the Ninja Forms plugin before 3.3.18 for WordPress allows Remote Attackers to execute JavaScript via the includes/Admin/Menus/Submissions.php (aka submissions page) begin_d… |
| CVE-2018-19796 | MEDIUM | 6.1 | 2018-12-03 | An open redirect in the Ninja Forms plugin before 3.3.19.1 for WordPress allows Remote Attackers to redirect a user via the lib/StepProcessing/step-processing.php (aka submissions… |
| CVE-2021-39349 | MEDIUM | 5.5 | 2021-10-15 | The Author Bio Box WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/includ… |
| CVE-2021-24269 | MEDIUM | 5.4 | 2021-05-05 | The “Sina Extension for Elementor” WordPress Plugin before 3.3.12 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as co… |
| CVE-2023-0252 | MEDIUM | 5.4 | 2023-02-06 | The Contextual Related Posts WordPress plugin before 3.3.1 does not validate and escape some of its block options before outputting them back in a page/post where the block is emb… |
| CVE-2025-3056 | MEDIUM | 5.4 | 2025-04-18 | The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.3.12 due to insufficient input … |
| CVE-2026-2505 | MEDIUM | 5.4 | 2026-04-18 | The Categories Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.1, via the 'z_taxonomy_image' shortcode. This is due … |
| CVE-2025-13414 | MEDIUM | 5.3 | 2025-11-25 | The Chamber Dashboard Business Directory plugin for WordPress is vulnerable to unauthorized data export due to a missing capability check on the cdash_watch_for_export() function … |
| CVE-2026-3646 | MEDIUM | 5.3 | 2026-04-08 | The LTL Freight Quotes – R+L Carriers Edition plugin for WordPress is vulnerable to Missing Authorization via the plugin's webhook handler in all versions up to, and including, 3.… |
| CVE-2011-4898 | MEDIUM | 5.0 | 2012-01-30 | wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier generates different error messages for requests lacking a dbname parameter depending on whet… |
| CVE-2012-0937 | MEDIUM | 5.0 | 2012-01-30 | wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not limit the number of MySQL queries sent to external MySQL database servers, which al… |
| CVE-2022-35275 | MEDIUM | 4.8 | 2022-09-09 | Authenticated (shop manager+) Reflected Cross-Site Scripting (XSS) vulnerability in AlgolPlus Advanced Order Export For WooCommerce plugin <= 3.3.1 at WordPress. |
| CVE-2024-3992 | MEDIUM | 4.8 | 2024-06-14 | The Amen WordPress plugin through 3.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Script… |
| CVE-2023-2494 | MEDIUM | 4.6 | 2023-05-24 | The Go Pricing - WordPress Responsive Pricing Tables plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'process_post… |
| CVE-2012-0782 | MEDIUM | 4.3 | 2012-01-30 | Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier allow remote attackers to inject arbi… |
| CVE-2015-3429 | MEDIUM | 4.3 | 2015-06-17 | Cross-site scripting (XSS) vulnerability in example.html in Genericons before 3.3.1, as used in WordPress before 4.2.2, allows remote attackers to inject arbitrary web script or H… |
| CVE-2019-14682 | MEDIUM | 4.3 | 2019-08-08 | The acf-better-search (aka ACF: Better Search) plugin before 3.3.1 for WordPress allows wp-admin/options-general.php?page=acfbs_admin_page CSRF. |
| CVE-2022-29417 | MEDIUM | 4.3 | 2022-04-25 | Plugin Settings Update vulnerability in ShortPixel's ShortPixel Adaptive Images plugin <= 3.3.1 at WordPress allows an attacker with a low user role like a subscriber or higher to… |
| CVE-2022-1709 | MEDIUM | 4.3 | 2022-06-08 | The Throws SPAM Away WordPress plugin before 3.3.1 does not have CSRF checks in place when deleting comments (either all, spam, or pending), allowing attackers to make a logged in… |
| CVE-2023-0691 | MEDIUM | 4.3 | 2023-06-09 | The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_last_name' shortcode in versions up to, and including, 3.3.1. This all… |
| CVE-2023-0692 | MEDIUM | 4.3 | 2023-06-09 | The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_payment_status' shortcode in versions up to, and including, 3.3.1. Thi… |
| CVE-2021-4409 | MEDIUM | 4.3 | 2023-07-12 | The WooCommerce Etsy Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.3.1. This is due to missing or incorrect nonc… |
| CVE-2023-0689 | MEDIUM | 4.3 | 2023-08-31 | The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_first_name' shortcode in versions up to, and including, 3.3.1. This al… |
| CVE-2024-9685 | MEDIUM | 4.3 | 2024-10-10 | The Notification for Telegram plugin for WordPress is vulnerable to unauthorized test message sending due to a missing capability check on the 'nftb_test_action' function in versi… |
| CVE-2025-12022 | MEDIUM | 4.3 | 2025-11-21 | The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eh_crm_se… |
| CVE-2025-12023 | MEDIUM | 4.3 | 2025-11-21 | The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the eh_crm_res… |
| CVE-2025-12085 | MEDIUM | 4.3 | 2025-11-21 | The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eh_crm_se… |
| CVE-2025-10054 | MEDIUM | 4.3 | 2025-11-21 | The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eh_crm_re… |
| CVE-2023-2608 | LOW | 3.1 | 2023-05-17 | The Multiple Page Generator Plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to time-based SQL Injection via the orderby and order parameters in versions u… |
| CVE-2012-0287 | LOW | 2.6 | 2012-01-06 | Cross-site scripting (XSS) vulnerability in wp-comments-post.php in WordPress 3.3.x before 3.3.1, when Internet Explorer is used, allows remote attackers to inject arbitrary web s… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 3.3.1 is no longer safe to operate in 2025. With 5 critical vulnerabilities that allow attackers to completely take over your website, combined with 13 additional high-severity flaws, the risk of a breach is not a matter of 'if' but 'when.' The 44 websites currently running this version are sitting ducks for cybercriminals actively exploiting these known weaknesses.
Don't wait for a breach to force action. Update your WordPress installation today and implement the security measures outlined in this guide. For ongoing protection and peace of mind, use SiteRecipe.com's automated vulnerability scanning and security monitoring tools. Our platform continuously checks for outdated software, missing patches, and security misconfigurations—keeping your website safe while you focus on your business. Start your free security audit at SiteRecipe.com today.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.