WordPress 3.3.2, released over a decade ago, is now a significant security liability for any website still running this outdated version. With 39 documented vulnerabilities—including 3 critical exploits affecting SQL injection, arbitrary file uploads, and IP spoofing—this legacy version poses severe risks to your site's data, functionality, and visitor safety.
If you're managing a WordPress site running version 3.3.2, immediate action is required. This guide will help you identify if your site is vulnerable, understand the specific threats, and implement the necessary security fixes to protect your business.
We've analyzed the top CVEs affecting this version to provide you with actionable steps to secure your WordPress installation today.
WordPress 3.3.2 is an extremely old version of WordPress released in early 2012—over 12 years ago. At that time, WordPress was still in its early evolution, and security practices were less rigorous than today's standards. While this version may still be running on some legacy websites, it has long been replaced by more secure and feature-rich updates.
Running WordPress 3.3.2 in 2024 is like leaving your front door unlocked in a high-crime neighborhood. The version lacks modern security features, security patches, and protection mechanisms that newer versions provide. Even worse, 16 websites are still known to be running this vulnerable version, making them prime targets for hackers searching for easy entry points.
39 CVEs found. The most critical are explained below.
The Ninja Forms plugin has a weakness that lets attackers trick your website into revealing sensitive data from your database through the search feature. This is like leaving your filing cabinet unlocked where anyone can read your confidential records.
Impact: Attackers could steal customer information, form submissions, or other sensitive data stored in your database without your knowledge.
↗ View on NVDThe Ninja Forms file upload tool doesn't properly check what type of files users are uploading. This means someone could upload dangerous files disguised as harmless documents.
Impact: Attackers could upload malicious files that take over your website, steal data, or use it to attack your visitors without needing a password.
↗ View on NVDThe Blackhole security plugin can be tricked about where requests are coming from. Attackers can make the plugin think dangerous traffic is coming from trusted sources like Google.
Impact: Legitimate users and search engines could be blocked from accessing your website, while actual attackers slip through undetected.
↗ View on NVDAn older video player tool in WordPress core has a security weakness that hasn't been fully detailed by the developers. The actual danger isn't clearly specified but needs attention.
Impact: Depending on the specific vulnerability, attackers might be able to exploit the video player functionality for malicious purposes.
↗ View on NVDThe Add From Server plugin can be tricked into importing large files through a technique called CSRF, where an attacker tricks your browser into making unwanted requests.
Impact: An attacker could trick an admin into unknowingly importing malicious files or performing unintended actions on the website.
↗ View on NVDThe Sassy Social Share plugin unsafely processes data that users send to it, allowing attackers to inject malicious code disguised as normal data. This is like leaving a door open that lets someone reprogram your system.
Impact: Attackers could execute harmful commands on your website, access files, or compromise your entire WordPress installation through this plugin's configuration import feature.
↗ View on NVDShowing first 10 of 33. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2024-5973 | HIGH | 8.8 | 2024-07-22 | The MasterStudy LMS WordPress Plugin WordPress plugin before 3.3.24 does not prevent students from creating instructor accounts, which could be used to get access to functionalit… |
| CVE-2025-5012 | HIGH | 8.8 | 2025-06-12 | The Workreap plugin for WordPress, used by the Workreap - Freelance Marketplace WordPress Theme, is vulnerable to arbitrary file uploads due to missing file type validation in the… |
| CVE-2026-1714 | HIGH | 8.6 | 2026-02-18 | The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution plugin for WordPress is vulnerable to Email Relay Abuse in all versions up to, and… |
| CVE-2024-13792 | HIGH | 7.3 | 2025-02-20 | The WooCommerce Food - Restaurant Menu & Food ordering plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.3.2. This is due… |
| CVE-2026-1400 | HIGH | 7.2 | 2026-01-28 | The AI Engine – The Chatbot and AI Framework for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the `rest_helpers_up… |
| CVE-2023-5979 | MEDIUM | 6.5 | 2023-12-04 | The eCommerce Product Catalog Plugin for WordPress plugin before 3.3.26 does not have CSRF checks in some of its admin pages, which could allow attackers to make logged-in users p… |
| CVE-2024-4363 | MEDIUM | 6.4 | 2024-05-15 | The Visual Portfolio, Photo Gallery & Post Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title_tag’ parameter in all versions up to, and includin… |
| CVE-2025-13840 | MEDIUM | 6.4 | 2025-12-12 | The BUKAZU Search widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'shortcode' parameter of the 'bukazu_search' shortcode in all versions up to, an… |
| CVE-2026-0746 | MEDIUM | 6.4 | 2026-01-27 | The AI Engine plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.3.2 via the 'get_audio' function. This makes it possible fo… |
| CVE-2026-7475 | MEDIUM | 6.4 | 2026-05-08 | The Sky Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `sky-custom-scripts` custom post type in all versions up to, and including, 3.3.2. This is… |
| CVE-2025-13534 | MEDIUM | 6.3 | 2025-12-02 | The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.3.2. This is due to miss… |
| CVE-2025-10146 | MEDIUM | 6.1 | 2025-09-19 | The Download Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘user_ids’ parameter in all versions up to, and including, 3.3.23 due to insuffic… |
| CVE-2012-2402 | MEDIUM | 5.5 | 2012-04-21 | wp-admin/plugins.php in WordPress before 3.3.2 allows remote authenticated site administrators to bypass intended access restrictions and deactivate network-wide plugins via unspe… |
| CVE-2022-32280 | MEDIUM | 5.4 | 2022-06-15 | Authenticated (contributor or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in Xakuro's XO Slider plugin <= 3.3.2 at WordPress. |
| CVE-2023-2517 | MEDIUM | 5.4 | 2023-07-12 | The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.3.2. This is due to missing or inco… |
| CVE-2023-51688 | MEDIUM | 5.3 | 2023-12-29 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in impleCode eCommerce Product Catalog Plugin for WordPress.This issue affects eCommerce Product Catalog P… |
| CVE-2012-2401 | MEDIUM | 5.0 | 2012-04-21 | Plupload before 1.5.4, as used in wp-includes/js/plupload/ in WordPress before 3.3.2 and other products, enables scripting regardless of the domain from which the SWF content was … |
| CVE-2024-12875 | MEDIUM | 4.9 | 2024-12-21 | The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.2 v… |
| CVE-2025-12496 | MEDIUM | 4.9 | 2025-12-17 | The Zephyr Project Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.203 via the `file` parameter. This makes it possible… |
| CVE-2022-0969 | MEDIUM | 4.8 | 2022-04-11 | The Image optimization & Lazy Load by Optimole WordPress plugin before 3.3.2 does not sanitise and escape its "Lazyload background images for selectors" settings, which could allo… |
| CVE-2022-0994 | MEDIUM | 4.8 | 2022-04-18 | The Hummingbird WordPress plugin before 3.3.2 does not sanitise and escape the Config Name, which could allow high privilege users, such as admin to perform cross-Site Scripting a… |
| CVE-2024-0625 | MEDIUM | 4.4 | 2024-01-25 | The WPFront Notification Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wpfront-notification-bar-options[custom_class]’ parameter in all versions u… |
| CVE-2024-6691 | MEDIUM | 4.4 | 2024-08-12 | The Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the cu… |
| CVE-2024-13517 | MEDIUM | 4.4 | 2025-01-18 | The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Title value in all versions u… |
| CVE-2025-10490 | MEDIUM | 4.4 | 2025-09-26 | The Zephyr Project Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.3.202 due to insufficient i… |
| CVE-2012-2403 | MEDIUM | 4.3 | 2012-04-21 | wp-includes/formatting.php in WordPress before 3.3.2 attempts to enable clickable links inside attributes, which makes it easier for remote attackers to conduct cross-site scripti… |
| CVE-2012-2404 | MEDIUM | 4.3 | 2012-04-21 | wp-comments-post.php in WordPress before 3.3.2 supports offsite redirects, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via unspecified… |
| CVE-2013-3526 | MEDIUM | 4.3 | 2013-05-10 | Cross-site scripting (XSS) vulnerability in js/ta_loaded.js.php in the Traffic Analyzer plugin, possibly 3.3.2 and earlier, for WordPress allows remote attackers to inject arbitra… |
| CVE-2012-3414 | MEDIUM | 4.3 | 2013-07-19 | Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFUpload 2.2.0.1 and earlier, as used in WordPress before 3.3.2, TinyMCE Image Manager 1.1, and other products, allow… |
| CVE-2022-40128 | MEDIUM | 4.3 | 2022-11-08 | Cross-Site Request Forgery (CSRF) vulnerability in Advanced Order Export For WooCommerce plugin <= 3.3.2 on WordPress leading to export file download. |
| CVE-2024-6167 | MEDIUM | 4.3 | 2024-07-09 | The Just Custom Fields plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on several AJAX functions in all versions up to… |
| CVE-2024-6168 | MEDIUM | 4.3 | 2024-07-09 | The Just Custom Fields plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.2. This is due to missing or incorrect nonce vali… |
| CVE-2024-6692 | LOW | 3.3 | 2024-08-12 | The Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Ag… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 3.3.2 represents a critical security vulnerability that demands immediate attention. With 3 critical CVEs including SQL injection, arbitrary file uploads, and IP spoofing attacks, your website and user data are at serious risk. The good news is that upgrading to a modern WordPress version is a straightforward process that eliminates the vast majority of these threats.
Don't leave your business exposed to hackers. Use SiteRecipe.com's free WordPress security scanner to identify vulnerabilities on your site, receive detailed remediation guidance, and monitor your site's security status continuously. Our platform makes it easy to stay protected with automated security checks and actionable recommendations. Start your free security audit today and take control of your WordPress site's safety.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.