WordPress 3.4 is an outdated version released over a decade ago, yet surprisingly, 9 websites still run this vulnerable software. Our security analysis identified 226 known vulnerabilities affecting this version, including 10 critical exploits that could compromise your entire website, steal customer data, or inject malware. These aren't theoretical threats—cybercriminals actively exploit these weaknesses daily.
If your business relies on WordPress 3.4, you're operating with a massive security liability. This guide explains the specific threats you face, how to identify if you're vulnerable, and the exact steps to protect your site before hackers strike. Time is critical: every day your site remains on this version increases the risk of a successful breach.
WordPress 3.4 was released in 2012 and reached end-of-life years ago. Think of it like driving a car from 2012 without any safety updates—the basic engine still works, but it lacks modern protections against sophisticated threats. WordPress 3.4 powered millions of websites in its day, but security standards have evolved dramatically since then. Modern WordPress versions include automatic security patches, improved authentication methods, and hardened code against common attack vectors that didn't exist when 3.4 was developed.
Running WordPress 3.4 today is like leaving your front door unlocked with a neon sign advertising your negligence. The platform itself isn't inherently bad, but it's simply incompatible with current cybersecurity threats. Hackers use automated tools to scan the internet for outdated WordPress installations and exploit known weaknesses within seconds. Without regular security updates, your site becomes a sitting duck for SQL injection attacks, unauthorized admin access, file inclusion exploits, and malware injection—all of which are documented threats against WordPress 3.4.
226 CVEs found. The most critical are explained below.
A flaw in the Sygnoos Popup Builder plugin allows hackers to directly access and manipulate your website's database. This happens through the table sorting feature, which doesn't properly filter user input before sending commands to your database.
Impact: An attacker could steal your customer data, modify website content, or completely compromise your database without needing to log in.
↗ View on NVDThe Profile Builder plugin has a weakness in its password reset system that allows anyone to reset your admin password without permission. The plugin doesn't properly verify who is requesting the password reset.
Impact: A hacker could take over your entire website by resetting your admin password and logging in as you, giving them complete control.
↗ View on NVDThe WCFM Marketplace plugin fails to clean up user input in its AJAX functions before using it in database queries. This allows both logged-in users and visitors to inject malicious code.
Impact: Attackers can access sensitive data, modify your marketplace listings, steal customer information, or sabotage your store's functionality.
↗ View on NVDThe Hummingbird plugin doesn't properly validate where it saves cached files, allowing attackers to write files to dangerous locations on your server. This is like leaving a door open for someone to place harmful files in critical system areas.
Impact: An attacker could place malicious files on your server to take control of your website, inject malware, or cause your site to crash.
↗ View on NVDThe Affiliate Toolkit plugin has an endpoint that allows anyone on the internet to make requests without any password or permission check. Attackers can use this to access internal systems or private networks.
Impact: Hackers could use your website to attack other systems, access private company networks, or gather sensitive information about your infrastructure.
↗ View on NVDThe Post Grid Master plugin allows attackers to read files from your server that they shouldn't have access to. The vulnerability is in how the plugin locates and loads template files.
Impact: An attacker could access sensitive files like configuration files containing database passwords, API keys, or other confidential information.
↗ View on NVDShowing first 10 of 220. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2025-14998 | CRITICAL | 9.8 | 2026-01-02 | The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.24. This is due to the plugin not properly val… |
| CVE-2026-3296 | CRITICAL | 9.8 | 2026-04-08 | The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.3 via deserialization of untrusted input from form entry met… |
| CVE-2026-8181 | CRITICAL | 9.8 | 2026-05-14 | The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1… |
| CVE-2024-3412 | CRITICAL | 9.1 | 2024-05-29 | The WP STAGING WordPress Backup Plugin – Migration Backup Restore plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the wpstg_pro… |
| CVE-2017-9418 | HIGH | 8.8 | 2017-06-12 | SQL injection vulnerability in the WP-Testimonials plugin 3.4.1 for WordPress allows an authenticated user to execute arbitrary SQL commands via the testid parameter to wp-admin/a… |
| CVE-2019-17661 | HIGH | 8.8 | 2019-11-08 | A CSV injection in the codepress-admin-columns (aka Admin Columns) plugin 3.4.6 for WordPress allows malicious users to gain remote control of other computers. By choosing formula… |
| CVE-2019-17237 | HIGH | 8.8 | 2019-11-12 | includes/class-coming-soon-creator.php in the igniteup plugin through 3.4 for WordPress allows CSRF. |
| CVE-2021-24163 | HIGH | 8.8 | 2021-04-05 | The AJAX action, wp_ajax_ninja_forms_sendwp_remote_install_handler, did not have a capability check on it, nor did it have any nonce protection, therefore making it possible for l… |
| CVE-2022-4935 | HIGH | 8.8 | 2023-04-05 | The WCFM Marketplace plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 3.4.11 due to missing capability checks o… |
| CVE-2024-2025 | HIGH | 8.8 | 2024-03-23 | The "BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages" plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and includin… |
| CVE-2025-5482 | HIGH | 8.8 | 2025-06-04 | The Sunshine Photo Cart: Free Client Photo Galleries for Photographers plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and i… |
| CVE-2025-4413 | HIGH | 8.8 | 2025-06-18 | The Pixabay Images plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the pixabay_upload function in all versions up to, and inclu… |
| CVE-2026-8719 | HIGH | 8.8 | 2026-05-17 | The AI Engine – The Chatbot, AI Framework & MCP for WordPress plugin for WordPress is vulnerable to Privilege Escalation in version 3.4.9. This is due to missing WordPress capabil… |
| CVE-2023-6360 | HIGH | 8.6 | 2023-11-30 | The 'My Calendar' WordPress Plugin, version < 3.4.22 is affected by an unauthenticated SQL injection vulnerability in the 'from' and 'to' parameters in the '/my-calendar/v1/events… |
| CVE-2018-20714 | HIGH | 8.1 | 2019-01-15 | The logging system of the Automattic WooCommerce plugin before 3.4.6 for WordPress is vulnerable to a File Deletion vulnerability. This allows deletion of woocommerce.php, which l… |
| CVE-2017-18614 | HIGH | 8.1 | 2019-09-13 | The kama-clic-counter plugin 3.4.9 for WordPress has SQL injection via the admin.php order parameter. |
| CVE-2021-24197 | HIGH | 8.1 | 2021-04-12 | The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. A low privilege authenticated user that visits the page where the table… |
| CVE-2021-24198 | HIGH | 8.1 | 2021-04-12 | The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. A low privilege authenticated user that visits the page where the table… |
| CVE-2021-24636 | HIGH | 8.1 | 2021-09-20 | The Print My Blog WordPress Plugin before 3.4.2 does not enforce nonce (CSRF) checks, which allows attackers to make logged in administrators deactivate the Print My Blog plugin a… |
| CVE-2021-24739 | HIGH | 8.1 | 2021-12-21 | The Logo Carousel WordPress plugin before 3.4.2 allows users with a role as low as Contributor to duplicate and view arbitrary private posts made by other users via the Carousel D… |
| CVE-2022-1903 | HIGH | 8.1 | 2022-06-27 | The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover (even the administrator) due to missing nonce and authorization checks in an AJAX action available to … |
| CVE-2023-5815 | HIGH | 8.1 | 2023-11-22 | The News & Blog Designer Pack – WordPress Blog Plugin — (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post Ticker, Blog Post Masonry) plugin for WordPress is vulnera… |
| CVE-2025-9048 | HIGH | 8.1 | 2025-08-23 | The Wptobe-memberships plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the del_img_ajax_call() function in all versions u… |
| CVE-2025-8565 | HIGH | 8.1 | 2025-09-18 | The Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages plugin for WordPress is vulnerable to unauthorized access of functionality due to a mi… |
| CVE-2026-5478 | HIGH | 8.1 | 2026-04-20 | The Everest Forms plugin for WordPress is vulnerable to Arbitrary File Read and Deletion in all versions up to, and including, 3.4.4. This is due to the plugin trusting attacker-c… |
| CVE-2018-6015 | HIGH | 7.5 | 2018-01-26 | An issue was discovered in the "Email Subscribers & Newsletters" plugin before 3.4.8 for WordPress. Sending an HTTP POST request to a URI with /?es=export at the end, and adding o… |
| CVE-2015-9341 | HIGH | 7.5 | 2019-08-22 | The wp-file-upload plugin before 3.4.1 for WordPress has insufficient restrictions on upload of .php.js files. |
| CVE-2019-15863 | HIGH | 7.5 | 2019-09-03 | The ConvertPlus plugin before 3.4.5 for WordPress has an unintended account creation (with the none role) via a request for variants. |
| CVE-2019-17234 | HIGH | 7.5 | 2019-11-12 | includes/class-coming-soon-creator.php in the igniteup plugin through 3.4 for WordPress allows unauthenticated arbitrary file deletion. |
| CVE-2021-24651 | HIGH | 7.5 | 2021-10-11 | The Poll Maker WordPress plugin before 3.4.2 allows unauthenticated users to perform SQL injection via the ays_finish_poll AJAX action. While the result is not disclosed in the re… |
| CVE-2024-13480 | HIGH | 7.5 | 2025-02-12 | The LTL Freight Quotes – For Customers of FedEx Freight plugin for WordPress is vulnerable to SQL Injection via the 'edit_id' and 'dropship_edit_id' parameters in all versions up … |
| CVE-2025-0810 | HIGH | 7.5 | 2025-04-05 | The Read More & Accordion plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.7. This is due to missing or incorrect nonce v… |
| CVE-2026-0692 | HIGH | 7.5 | 2026-02-14 | The BlueSnap Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.4.0. This is due to the plugin rel… |
| CVE-2026-4304 | HIGH | 7.5 | 2026-05-05 | The WeePie Cookie Allow plugin for WordPress is vulnerable to SQL Injection via the 'consent' parameter in all versions up to, and including, 3.4.11 due to insufficient escaping o… |
| CVE-2015-5533 | HIGH | 7.2 | 2017-10-23 | SQL injection vulnerability in counter-options.php in the Count Per Day plugin before 3.4.1 for WordPress allows remote authenticated administrators to execute arbitrary SQL comma… |
| CVE-2023-6222 | HIGH | 7.2 | 2023-12-18 | IThe Quttera Web Malware Scanner WordPress plugin before 3.4.2.1 does not validate user input used in a path, which could allow users with an admin role to perform path traversal … |
| CVE-2024-1852 | HIGH | 7.2 | 2024-04-09 | The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the X-Forwarded-For header in all versions up to, and including, 3.4.9.2 due… |
| CVE-2025-0809 | HIGH | 7.2 | 2025-01-31 | The Link Fixer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via broken links in all versions up to, and including, 3.4 due to insufficient input sanitization … |
| CVE-2025-11238 | HIGH | 7.2 | 2025-10-25 | The Watu Quiz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the HTTP Referer header in versions less than, or equal to, 3.4.4 due to insufficient input san… |
| CVE-2023-46086 | HIGH | 7.1 | 2023-11-30 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SERVIT Software Solutions affiliate-toolkit – WordPress Affiliate Plugin allo… |
| CVE-2024-1385 | HIGH | 7.1 | 2024-04-06 | The WP-Stateless – Google Cloud Storage plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the dismiss_notices() function in all … |
| CVE-2008-6811 | MEDIUM | 6.8 | 2009-05-18 | Unrestricted file upload vulnerability in image_processing.php in the e-Commerce Plugin 3.4 and earlier for Wordpress allows remote attackers to execute arbitrary code by uploadin… |
| CVE-2012-3384 | MEDIUM | 6.8 | 2012-07-22 | Cross-site request forgery (CSRF) vulnerability in the customizer in WordPress before 3.4.1 allows remote attackers to hijack the authentication of unspecified victims via unknown… |
| CVE-2012-4448 | MEDIUM | 6.8 | 2012-09-28 | Cross-site request forgery (CSRF) vulnerability in wp-admin/index.php in WordPress 3.4.2 allows remote attackers to hijack the authentication of administrators for requests that m… |
| CVE-2025-14973 | MEDIUM | 6.8 | 2026-01-26 | The Recipe Card Blocks Lite WordPress plugin before 3.4.13 does not sanitize and escape a parameter before using it in a SQL statement, allowing contributors and above to perform … |
| CVE-2014-5324 | MEDIUM | 6.5 | 2014-09-26 | Unrestricted file upload vulnerability in the N-Media file uploader plugin before 3.4 for WordPress allows remote authenticated users to execute arbitrary PHP code by leveraging A… |
| CVE-2015-9431 | MEDIUM | 6.5 | 2019-09-26 | The qtranslate-x plugin before 3.4.4 for WordPress has CSRF with resultant XSS via the wp-admin/options-general.php?page=qtranslate-x json_config_files or json_custom_i18n_config … |
| CVE-2020-36174 | MEDIUM | 6.5 | 2021-01-06 | The Ninja Forms plugin before 3.4.27.1 for WordPress allows CSRF via services integration. |
| CVE-2021-24199 | MEDIUM | 6.5 | 2021-04-12 | The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table … |
| CVE-2021-24200 | MEDIUM | 6.5 | 2021-04-12 | The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table … |
| CVE-2022-35242 | MEDIUM | 6.5 | 2022-08-23 | Unauthenticated plugin settings change vulnerability in 59sec THE Leads Management System: 59sec LITE plugin <= 3.4.1 at WordPress. |
| CVE-2022-3926 | MEDIUM | 6.5 | 2022-12-05 | The WP OAuth Server (OAuth Authentication) WordPress plugin before 3.4.2 does not have CSRF check when regenerating secrets, which could allow attackers to make logged in admins r… |
| CVE-2023-5382 | MEDIUM | 6.5 | 2023-11-22 | The Funnelforms Free plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4. This is due to missing or incorrect nonce validation o… |
| CVE-2023-5386 | MEDIUM | 6.5 | 2023-11-22 | The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_delete_posts function in versions up to,… |
| CVE-2023-5990 | MEDIUM | 6.5 | 2023-12-04 | The Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor WordPress plugin before 3.4.2 does not have CSRF checks on some of its form actions such as deleti… |
| CVE-2023-6733 | MEDIUM | 6.5 | 2024-01-04 | The WP-Members Membership Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.4.8 via the wpmem_field shortcode. Th… |
| CVE-2024-1123 | MEDIUM | 6.5 | 2024-03-09 | The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_fronte… |
| CVE-2024-1320 | MEDIUM | 6.5 | 2024-03-09 | The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'offline_status' parameter in all versions up to, … |
| CVE-2025-13359 | MEDIUM | 6.5 | 2025-12-03 | The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to time-based SQL Injection via the "getTermsForAjax" function in all versi… |
| CVE-2025-13922 | MEDIUM | 6.5 | 2025-12-06 | The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'existing_terms_orderby' parameter… |
| CVE-2026-0683 | MEDIUM | 6.5 | 2026-01-31 | The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to SQL Injection via the Number-type custom field filter in all versions up to, and… |
| CVE-2025-15488 | MEDIUM | 6.5 | 2026-03-26 | The Responsive Plus WordPress plugin before 3.4.3 is vulnerable to arbitrary shortcode execution due to the software allowing unauthenticated users to execute the update_responsi… |
| CVE-2023-5110 | MEDIUM | 6.4 | 2023-10-25 | The BSK PDF Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'bsk-pdfm-category-dropdown' shortcode in versions up to, and including, 3.4.1 due to ins… |
| CVE-2024-0256 | MEDIUM | 6.4 | 2024-02-07 | The Starbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Profile Display Name and Social Settings in all versions up to, and including, 3.4.8 due to i… |
| CVE-2023-5665 | MEDIUM | 6.4 | 2024-02-08 | The Payment Forms for Paystack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 3.4.1 due to ins… |
| CVE-2023-6806 | MEDIUM | 6.4 | 2024-02-29 | The Starbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Job Settings user profile fields in all versions up to, and including, 3.4.8 due to insuffici… |
| CVE-2024-1987 | MEDIUM | 6.4 | 2024-03-08 | The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 3.4.9.1 due … |
| CVE-2024-0873 | MEDIUM | 6.4 | 2024-04-09 | The Watu Quiz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'watu-basic-chart' shortcode in all versions up to, and including, 3.4.1 due to in… |
| CVE-2024-2845 | MEDIUM | 6.4 | 2024-04-09 | The BetterDocs – Best Documentation, FAQ & Knowledge Base Plugin with AI Support & Instant Answer For Elementor & Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site… |
| CVE-2024-1679 | MEDIUM | 6.4 | 2024-05-02 | The Print Labels with Barcodes. Create price tags, product labels, order labels for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the template … |
| CVE-2024-4034 | MEDIUM | 6.4 | 2024-05-02 | The Virtue theme for WordPress is vulnerable to Stored Cross-Site Scripting via a Post Author's name in all versions up to, and including, 3.4.8 due to insufficient input sanitiza… |
| CVE-2024-4546 | MEDIUM | 6.4 | 2024-05-16 | The Custom Post Type Attachment plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'pdf_attachment' shortcode in all versions up to, and including,… |
| CVE-2024-5191 | MEDIUM | 6.4 | 2024-06-21 | The Branda – White Label WordPress, Custom Login Page Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mime_types’ parameter in all versions u… |
| CVE-2024-1056 | MEDIUM | 6.4 | 2024-08-29 | The FunnelKit Funnel Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'allow_iframe_tag_in_post' function which uses the 'wp_kses_allowed_html… |
| CVE-2024-10374 | MEDIUM | 6.4 | 2024-10-25 | The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpmem_loginout shortcode in all versions up to, and including, … |
| CVE-2024-11938 | MEDIUM | 6.4 | 2024-12-21 | The One Click Upsell Funnel for WooCommerce – Funnel Builder for WordPress, Create WooCommerce Upsell, Post-Purchase Upsell & Cross Sell Offers that Boost Sales & Increase Profit… |
| CVE-2024-12304 | MEDIUM | 6.4 | 2025-01-11 | The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via button block link in all versions up to, a… |
| CVE-2025-1005 | MEDIUM | 6.4 | 2025-02-15 | The ElementsKit Elementor addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Accordion widget in all versions up to, and including, 3.… |
| CVE-2025-1291 | MEDIUM | 6.4 | 2025-03-01 | The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘icon’ parameter in all versions up to… |
| CVE-2024-11180 | MEDIUM | 6.4 | 2025-03-29 | The ElementsKit Elementor addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown Timer Widget ekit_countdown_timer_title parameter in all versi… |
| CVE-2025-3521 | MEDIUM | 6.4 | 2025-05-01 | The Team Members – Best WordPress Team Plugin with Team Slider, Team Showcase & Team Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Social Link icon… |
| CVE-2025-6258 | MEDIUM | 6.4 | 2025-06-26 | The WP SoundSystem plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpsstm-track shortcode in all versions up to, and including, 3.4.2 due to ins… |
| CVE-2025-4685 | MEDIUM | 6.4 | 2025-07-21 | The Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the HTML data attributes of multiple widg… |
| CVE-2025-9992 | MEDIUM | 6.4 | 2025-09-18 | The Ghost Kit – Page Builder Blocks, Motion Effects & Extensions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom JS field in all versions up to, a… |
| CVE-2025-9130 | MEDIUM | 6.4 | 2025-10-03 | The Unify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin for WordPress's unify_checkout shortcode in all versions up to, and including, 3.4.7 due… |
| CVE-2026-2924 | MEDIUM | 6.4 | 2026-04-04 | The Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'imageLoad' parameter in versions up to… |
| CVE-2019-25744 | MEDIUM | 6.4 | 2026-06-04 | WordPress Popup Builder 3.49 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by breaking out of option tag… |
| CVE-2022-4936 | MEDIUM | 6.3 | 2023-04-05 | The WCFM Marketplace plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4.11 due to missing nonce checks on various AJAX actions.… |
| CVE-2015-10105 | MEDIUM | 6.3 | 2023-05-01 | A vulnerability, which was classified as critical, was found in IP Blacklist Cloud Plugin up to 3.42 on WordPress. This affects the function valid_js_identifier of the file ip_bla… |
| CVE-2024-1677 | MEDIUM | 6.3 | 2024-05-02 | The Print Labels with Barcodes. Create price tags, product labels, order labels for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data, modification of … |
| CVE-2018-0546 | MEDIUM | 6.1 | 2018-03-09 | Cross-site scripting vulnerability in WP All Import plugin prior to version 3.4.6 for WordPress allows an attacker to inject arbitrary web script or HTML via unspecified vectors. |
| CVE-2018-0547 | MEDIUM | 6.1 | 2018-03-09 | Cross-site scripting vulnerability in WP All Import plugin prior to version 3.4.7 for WordPress allows an attacker to inject arbitrary web script or HTML via unspecified vectors. |
| CVE-2018-16254 | MEDIUM | 6.1 | 2019-04-12 | There is an XSS vulnerability in WP All Import plugin 3.4.9 for WordPress via action=options. NOTE: The vendor states that this is not a vulnerability. WP All Import is only able … |
| CVE-2018-16255 | MEDIUM | 6.1 | 2019-04-12 | There is an XSS vulnerability in WP All Import plugin 3.4.9 for WordPress via action=evaluate. NOTE: The vendor states that this is not a vulnerability. WP All Import is only able… |
| CVE-2018-16256 | MEDIUM | 6.1 | 2019-04-12 | There is an XSS vulnerability in WP All Import plugin 3.4.9 for WordPress via Add Filtering Options(Add Rule). NOTE: The vendor states that this is not a vulnerability. WP All Imp… |
| CVE-2018-16257 | MEDIUM | 6.1 | 2019-04-12 | There are multiple XSS vulnerabilities in WP All Import plugin 3.4.9 for WordPress via action=template. NOTE: The vendor states that this is not a vulnerability. WP All Import is … |
| CVE-2018-16258 | MEDIUM | 6.1 | 2019-04-12 | There is an XSS vulnerability in WP All Import plugin 3.4.9 for WordPress via pmxi-admin-import custom_type. NOTE: The vendor states that this is not a vulnerability. WP All Impor… |
| CVE-2018-16259 | MEDIUM | 6.1 | 2019-04-12 | There is an XSS vulnerability in WP All Import plugin 3.4.9 for WordPress via pmxi-admin-settings large_feed_limit. NOTE: The vendor states that this is not a vulnerability. WP Al… |
| CVE-2017-18497 | MEDIUM | 6.1 | 2019-08-13 | The liveforms plugin before 3.4.0 for WordPress has XSS. |
| CVE-2017-18567 | MEDIUM | 6.1 | 2019-08-20 | The wp-all-import plugin before 3.4.6 for WordPress has XSS. |
| CVE-2018-20978 | MEDIUM | 6.1 | 2019-08-20 | The wp-all-import plugin before 3.4.7 for WordPress has XSS. |
| CVE-2016-10898 | MEDIUM | 6.1 | 2019-08-21 | The total-security plugin before 3.4.1 for WordPress has XSS. |
| CVE-2017-18538 | MEDIUM | 6.1 | 2019-08-21 | The weblibrarian plugin before 3.4.8.5 for WordPress has XSS via front-end short codes. |
| CVE-2017-18539 | MEDIUM | 6.1 | 2019-08-21 | The weblibrarian plugin before 3.4.8.6 for WordPress has XSS via front-end short codes. |
| CVE-2017-18540 | MEDIUM | 6.1 | 2019-08-21 | The weblibrarian plugin before 3.4.8.7 for WordPress has XSS via front-end short codes. |
| CVE-2015-9327 | MEDIUM | 6.1 | 2019-08-21 | The flickr-justified-gallery plugin before 3.4.0 for WordPress has XSS. |
| CVE-2015-9359 | MEDIUM | 6.1 | 2019-08-28 | The Jetpack plugin before 3.4.3 for WordPress has XSS via add_query_arg() and remove_query_arg(). |
| CVE-2019-15817 | MEDIUM | 6.1 | 2019-08-30 | The easy-property-listings plugin before 3.4 for WordPress has XSS. |
| CVE-2016-10961 | MEDIUM | 6.1 | 2019-09-16 | The colorway theme before 3.4.2 for WordPress has XSS via the contactName parameter. |
| CVE-2016-10973 | MEDIUM | 6.1 | 2019-09-16 | The Brafton plugin before 3.4.8 for WordPress has XSS via the wp-admin/admin.php?page=BraftonArticleLoader tab parameter to BraftonAdminPage.php. |
| CVE-2019-17236 | MEDIUM | 6.1 | 2019-11-12 | includes/class-coming-soon-creator.php in the igniteup plugin through 3.4 for WordPress is vulnerable to stored XSS. |
| CVE-2020-12462 | MEDIUM | 6.1 | 2020-04-29 | The ninja-forms plugin before 3.4.24.2 for WordPress allows CSRF with resultant XSS. |
| CVE-2021-24135 | MEDIUM | 6.1 | 2021-03-18 | Unvalidated input and lack of output encoding in the WP Customer Reviews WordPress plugin, versions before 3.4.3, lead to multiple Stored Cross-Site Scripting vulnerabilities allo… |
| CVE-2021-24165 | MEDIUM | 6.1 | 2021-04-05 | In the Ninja Forms Contact Form WordPress plugin before 3.4.34, the wp_ajax_nf_oauth_connect AJAX action was vulnerable to open redirect due to the use of a user supplied redirect… |
| CVE-2021-24588 | MEDIUM | 6.1 | 2021-09-06 | The SMS Alert Order Notifications WordPress plugin before 3.4.7 is affected by a cross site scripting (XSS) vulnerability in the plugin's setting page. |
| CVE-2021-24891 | MEDIUM | 6.1 | 2021-11-23 | The Elementor Website Builder WordPress plugin before 3.4.8 does not sanitise or escape user input appended to the DOM via a malicious hash, resulting in a DOM Cross-Site Scriptin… |
| CVE-2021-24797 | MEDIUM | 6.1 | 2021-12-27 | The Tickera WordPress plugin before 3.4.8.3 does not properly sanitise and escape the Name fields of booked Events before outputting them in the Orders admin dashboard, which coul… |
| CVE-2023-2572 | MEDIUM | 6.1 | 2023-06-05 | The Survey Maker WordPress plugin before 3.4.7 does not escape some parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting which could be … |
| CVE-2023-2321 | MEDIUM | 6.1 | 2023-07-04 | The WPForms Google Sheet Connector WordPress plugin before 3.4.6, gsheetconnector-wpforms-pro WordPress plugin through 3.4.6 does not escape a parameter before outputting it back … |
| CVE-2023-4950 | MEDIUM | 6.1 | 2023-10-16 | The Interactive Contact Form and Multi Step Form Builder WordPress plugin before 3.4 does not sanitise and escape some parameters, which could allow unauthenticated users to perfo… |
| CVE-2024-0591 | MEDIUM | 6.1 | 2024-03-13 | The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'A' parameter in all ver… |
| CVE-2024-0979 | MEDIUM | 6.1 | 2024-06-13 | The Dashboard Widgets Suite plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 3.4.3 due to insuffi… |
| CVE-2024-5155 | MEDIUM | 6.1 | 2024-06-14 | The Inquiry cart WordPress plugin through 3.4.2 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logge… |
| CVE-2024-8549 | MEDIUM | 6.1 | 2024-09-25 | The Simple Calendar – Google Calendar Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on t… |
| CVE-2024-9231 | MEDIUM | 6.1 | 2024-10-22 | The WP-Members Membership Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in al… |
| CVE-2024-9374 | MEDIUM | 6.1 | 2024-10-24 | The Terms descriptions plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions… |
| CVE-2024-9371 | MEDIUM | 6.1 | 2024-11-21 | The Branda – White Label & Branding, Custom Login Page Customizer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without a… |
| CVE-2025-3097 | MEDIUM | 6.1 | 2025-04-02 | The wp Time Machine plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.0. This is due to missing or incorrect nonce validat… |
| CVE-2025-5084 | MEDIUM | 6.1 | 2025-07-24 | The Post Grid Master plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘argsArray['read_more_text']’ parameter in all versions up to, and including, 3.4… |
| CVE-2026-4090 | MEDIUM | 6.1 | 2026-04-22 | The Inquiry Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.2. This is due to missing nonce verification in the rd_… |
| CVE-2026-2902 | MEDIUM | 6.1 | 2026-04-29 | The WP Meteor Website Speed Optimization Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'frontend_rewrite' function's 'WPMETEOR[N]WPMETEOR' placeh… |
| CVE-2026-3001 | MEDIUM | 6.1 | 2026-05-27 | The Gutenverse plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' parameter in all versions up to, and including, 3.4.6 due to insufficient input san… |
| CVE-2024-37239 | MEDIUM | 5.9 | 2024-07-22 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPMU DEV - Your All-in-One WordPress Platform Branda branda-white-labeling.Th… |
| CVE-2024-10076 | MEDIUM | 5.9 | 2025-05-15 | The Jetpack WordPress plugin before 13.8, Jetpack Boost WordPress plugin before 3.4.8 use regexes in the Site Accelerator features when switching image URLs to their CDN counter… |
| CVE-2022-3881 | MEDIUM | 5.7 | 2022-12-12 | The WP Tools Increase Maximum Limits, Repair, Server PHP Info, Javascript errors, File Permissions, Transients, Error Log WordPress plugin before 3.43 does not have proper authori… |
| CVE-2017-18600 | MEDIUM | 5.4 | 2019-09-10 | The formcraft3 plugin before 3.4 for WordPress has stored XSS via the "New Form > Heading > Heading Text" field. |
| CVE-2020-8594 | MEDIUM | 5.4 | 2020-02-14 | The Ninja Forms plugin 3.4.22 for WordPress has Multiple Stored XSS vulnerabilities via ninja_forms[recaptcha_site_key], ninja_forms[recaptcha_secret_key], ninja_forms[recaptcha_l… |
| CVE-2020-14962 | MEDIUM | 5.4 | 2020-06-22 | Multiple XSS vulnerabilities in the Final Tiles Gallery plugin before 3.4.19 for WordPress allow remote attackers to inject arbitrary web script or HTML via the Title (aka imageTi… |
| CVE-2021-24153 | MEDIUM | 5.4 | 2021-04-05 | A Stored Cross-Site Scripting vulnerability was discovered in the Yoast SEO WordPress plugin before 3.4.1, which had built-in blacklist filters which were blacklisting Parenthesis… |
| CVE-2021-24166 | MEDIUM | 5.4 | 2021-04-05 | The wp_ajax_nf_oauth_disconnect from the Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34 had no nonce protection making it p… |
| CVE-2021-24309 | MEDIUM | 5.4 | 2021-06-01 | The "Schedule Name" input in the Weekly Schedule WordPress plugin before 3.4.3 general options did not properly sanitize input, allowing a user to inject javascript code using the… |
| CVE-2021-24386 | MEDIUM | 5.4 | 2021-07-06 | The WP SVG images WordPress plugin before 3.4 did not sanitise the SVG files uploaded, which could allow low privilege users such as author+ to upload a malicious SVG and then per… |
| CVE-2021-24470 | MEDIUM | 5.4 | 2021-08-02 | The Yada Wiki WordPress plugin before 3.4.1 did not sanitise, validate or escape the anchor attribute of its shortcode, leading to a Stored Cross-Site Scripting issue |
| CVE-2021-24671 | MEDIUM | 5.4 | 2021-09-27 | The MX Time Zone Clocks WordPress plugin before 3.4.1 does not escape the time_zone attribute of the mxmtzc_time_zone_clocks shortcode, allowing users with a role as low as Contri… |
| CVE-2021-24738 | MEDIUM | 5.4 | 2021-12-21 | The Logo Carousel WordPress plugin before 3.4.2 does not validate and escape the "Logo Margin" carousel option, which could allow users with a role as low as Contributor to perfor… |
| CVE-2022-0898 | MEDIUM | 5.4 | 2022-05-09 | The IgniteUp WordPress plugin through 3.4.1 does not sanitise and escape some fields when high privilege users don't have the unfiltered_html capability, which could lead to Store… |
| CVE-2022-1393 | MEDIUM | 5.4 | 2022-05-16 | The WP Subtitle WordPress plugin before 3.4.1 adds a subtitle field and provides a shortcode to display it via [wp_subtitle]. The subtitle is stored as a custom post meta with the… |
| CVE-2022-1780 | MEDIUM | 5.4 | 2022-06-13 | The LaTeX for WordPress plugin through 3.4.10 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a… |
| CVE-2022-4507 | MEDIUM | 5.4 | 2023-01-16 | The Real Cookie Banner WordPress plugin before 3.4.10 does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow use… |
| CVE-2022-4790 | MEDIUM | 5.4 | 2023-01-23 | The WP Google My Business Auto Publish WordPress plugin before 3.4 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as cont… |
| CVE-2022-4777 | MEDIUM | 5.4 | 2023-02-21 | The Bootstrap Shortcodes WordPress plugin through 3.4.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcod… |
| CVE-2024-1125 | MEDIUM | 5.4 | 2024-03-09 | The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the calendar_events_del… |
| CVE-2023-7085 | MEDIUM | 5.4 | 2024-03-18 | The Scalable Vector Graphics (SVG) WordPress plugin through 3.4 does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SV… |
| CVE-2024-1274 | MEDIUM | 5.4 | 2024-04-02 | The My Calendar WordPress plugin before 3.4.24 does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Cross-Site Scripti… |
| CVE-2024-2640 | MEDIUM | 5.4 | 2024-07-12 | The Watu Quiz WordPress plugin before 3.4.1.2 does not sanitise and escape some of its settings, which could allow users such as authors (if they've been authorized by admins) to … |
| CVE-2025-14854 | MEDIUM | 5.4 | 2026-01-14 | The WP-CRM System plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on the wpcrm_get_email_recipients and wpcrm_system_ajax_task_change_st… |
| CVE-2026-1251 | MEDIUM | 5.4 | 2026-01-31 | The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.4 via… |
| CVE-2016-10899 | MEDIUM | 5.3 | 2019-08-21 | The total-security plugin before 3.4.1 for WordPress has a settings-change vulnerability. |
| CVE-2019-17235 | MEDIUM | 5.3 | 2019-11-12 | includes/class-coming-soon-creator.php in the igniteup plugin through 3.4 for WordPress allows information disclosure. |
| CVE-2020-36173 | MEDIUM | 5.3 | 2021-01-06 | The Ninja Forms plugin before 3.4.28 for WordPress lacks escaping for submissions-table fields. |
| CVE-2020-36175 | MEDIUM | 5.3 | 2021-01-06 | The Ninja Forms plugin before 3.4.27.1 for WordPress allows attackers to bypass validation via the email field. |
| CVE-2021-24677 | MEDIUM | 5.3 | 2021-10-18 | The Find My Blocks WordPress plugin before 3.4.0 does not have authorisation checks in its REST API, which could allow unauthenticated users to enumerate private posts' titles. |
| CVE-2023-4933 | MEDIUM | 5.3 | 2023-10-16 | The WP Job Openings WordPress plugin before 3.4.3 does not block listing the contents of the directories where it stores attachments to job applications, allowing unauthenticated … |
| CVE-2023-6065 | MEDIUM | 5.3 | 2023-12-18 | The Quttera Web Malware Scanner WordPress plugin before 3.4.2.1 doesn't restrict access to detailed scan logs, which allows a malicious actor to discover local paths and portions … |
| CVE-2024-1321 | MEDIUM | 5.3 | 2024-03-13 | The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 3.4.2. This is due to the plugin … |
| CVE-2024-2920 | MEDIUM | 5.3 | 2024-04-26 | The WP-Members Membership Plugin plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.4.9.3 due to the plugin uploading user supplied… |
| CVE-2024-3682 | MEDIUM | 5.3 | 2024-04-26 | The WP STAGING and WP STAGING Pro plugins for WordPress are vulnerable to Sensitive Information Exposure in versions up to, and including, 3.4.3, and versions up to, and including… |
| CVE-2024-4997 | MEDIUM | 5.3 | 2024-06-04 | The WPUpper Share Buttons plugin for WordPress is vulnerable to unauthorized access of data when preparing sharing links for posts and pages in all versions up to, and including, … |
| CVE-2024-0972 | MEDIUM | 5.3 | 2024-06-06 | The BuddyPress Members Only plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.4.9 via the REST API. This makes it possib… |
| CVE-2024-6554 | MEDIUM | 5.3 | 2024-07-11 | The Branda – White Label WordPress, Custom Login Page Customizer plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.4.18. This is d… |
| CVE-2024-6553 | MEDIUM | 5.3 | 2024-07-24 | The WP Meteor Website Speed Optimization Addon plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.4.3.This is due to the plugin uti… |
| CVE-2024-9546 | MEDIUM | 5.3 | 2024-10-15 | The WPIDE – File Manager & Code Editor plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.4.9. This is due to the plugin utilizing … |
| CVE-2025-0968 | MEDIUM | 5.3 | 2025-02-19 | The ElementsKit Elementor addons plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.4.0 due to a missing capability chec… |
| CVE-2025-10745 | MEDIUM | 5.3 | 2025-09-26 | The Banhammer – Monitor Site Traffic, Block Bad Users and Bots plugin for WordPress is vulnerable to Blocking Bypass in all versions up to, and including, 3.4.8. This is due to a … |
| CVE-2025-13529 | MEDIUM | 5.3 | 2026-01-07 | The Unify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'init' action in all versions up to, and including, 3.4.… |
| CVE-2026-0831 | MEDIUM | 5.3 | 2026-01-10 | The Templately plugin for WordPress is vulnerable to Arbitrary File Write in all versions up to, and including, 3.4.8. This is due to inadequate input validation in the `save_temp… |
| CVE-2012-3385 | MEDIUM | 5.0 | 2012-07-22 | WordPress before 3.4.1 does not properly restrict access to post contents such as private or draft posts, which allows remote authors or contributors to obtain sensitive informati… |
| CVE-2025-11972 | MEDIUM | 4.9 | 2025-11-08 | The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to SQL Injection via the 'post_types' parameter in all versions up to, and i… |
| CVE-2021-24448 | MEDIUM | 4.8 | 2021-08-02 | The User Registration & User Profile – Profile Builder WordPress plugin before 3.4.8 does not sanitise or escape its 'Modify default Redirect Delay timer' setting, allowing high p… |
| CVE-2022-3420 | MEDIUM | 4.8 | 2022-10-31 | The Official Integration for Billingo WordPress plugin before 3.4.0 does not sanitise and escape some of its settings, which could allow high privilege users with a role as low as… |
| CVE-2022-3838 | MEDIUM | 4.8 | 2022-12-05 | The WPUpper Share Buttons WordPress plugin through 3.42 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored C… |
| CVE-2022-3906 | MEDIUM | 4.8 | 2022-12-12 | The Easy Form Builder WordPress plugin before 3.4.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross… |
| CVE-2022-3840 | MEDIUM | 4.8 | 2022-12-26 | The Login for Google Apps WordPress plugin before 3.4.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored C… |
| CVE-2024-2309 | MEDIUM | 4.8 | 2024-04-17 | The WP STAGING WordPress Backup Plugin WordPress plugin before 3.4.0, wp-staging-pro WordPress plugin before 5.4.0 does not sanitise and escape some of its settings, which could … |
| CVE-2024-4895 | MEDIUM | 4.7 | 2024-05-23 | The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the CSV import functionality in… |
| CVE-2025-6719 | MEDIUM | 4.4 | 2025-07-18 | The Terms descriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.4.8 due to insufficient input s… |
| CVE-2021-24164 | MEDIUM | 4.3 | 2021-04-05 | In the Ninja Forms Contact Form WordPress plugin before 3.4.34.1, low-level users, such as subscribers, were able to trigger the action, wp_ajax_nf_oauth, and retrieve the connect… |
| CVE-2021-24816 | MEDIUM | 4.3 | 2021-11-08 | The Phoenix Media Rename WordPress plugin before 3.4.4 does not have capability checks in its phoenix_media_rename AJAX action, which could allow users with Author roles to rename… |
| CVE-2022-23983 | MEDIUM | 4.3 | 2022-02-21 | Cross-Site Request Forgery (CSRF) vulnerability leading to plugin Settings Update discovered in WP Content Copy Protection & No Right Click WordPress plugin (versions <= 3.4.4). |
| CVE-2022-0833 | MEDIUM | 4.3 | 2022-03-28 | The Church Admin WordPress plugin before 3.4.135 does not have authorisation and CSRF in some of its action as well as requested files, allowing unauthenticated attackers to repea… |
| CVE-2023-2869 | MEDIUM | 4.3 | 2023-07-12 | The WP-Members Membership plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the do_field_reorder function in versions … |
| CVE-2021-4427 | MEDIUM | 4.3 | 2023-07-12 | The Vuukle Comments, Reactions, Share Bar, Revenue plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4.31. This is due to missin… |
| CVE-2020-36758 | MEDIUM | 4.3 | 2023-10-20 | The RSS Aggregator by Feedzy plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4.2. This is due to missing or incorrect nonce va… |
| CVE-2023-5383 | MEDIUM | 4.3 | 2023-11-22 | The Funnelforms Free plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4. This is due to missing or incorrect nonce validation o… |
| CVE-2023-5385 | MEDIUM | 4.3 | 2023-11-22 | The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_copy_posts function in versions up to, a… |
| CVE-2023-5387 | MEDIUM | 4.3 | 2023-11-22 | The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_af2_trigger_dark_mode function in versio… |
| CVE-2023-5411 | MEDIUM | 4.3 | 2023-11-22 | The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_af2_save_post function in versions up to… |
| CVE-2023-5415 | MEDIUM | 4.3 | 2023-11-22 | The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_add_category function in versions up to,… |
| CVE-2023-5416 | MEDIUM | 4.3 | 2023-11-22 | The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_delete_category function in versions up … |
| CVE-2023-5417 | MEDIUM | 4.3 | 2023-11-22 | The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_update_category function in versions up … |
| CVE-2023-5419 | MEDIUM | 4.3 | 2023-11-22 | The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_af2_test_mail function in versions up to… |
| CVE-2024-0366 | MEDIUM | 4.3 | 2024-02-05 | The Starbox – the Author Box for Humans plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.7 via the action function … |
| CVE-2024-1124 | MEDIUM | 4.3 | 2024-03-09 | The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the ep_send_attendees_… |
| CVE-2024-1126 | MEDIUM | 4.3 | 2024-03-13 | The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_attendees_ema… |
| CVE-2024-1127 | MEDIUM | 4.3 | 2024-03-13 | The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the booking_export_al… |
| CVE-2024-1325 | MEDIUM | 4.3 | 2024-03-20 | The Live Sales Notification for Woocommerce – Woomotiv plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.3. This is due to… |
| CVE-2024-0872 | MEDIUM | 4.3 | 2024-04-09 | The Watu Quiz plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.4.1 via the watu-userinfo shortcode. This makes it possi… |
| CVE-2024-6836 | MEDIUM | 4.3 | 2024-07-24 | The Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels, Order Bumps & One Click Upsells plugin for WordPress is vulnerable to u… |
| CVE-2024-13639 | MEDIUM | 4.3 | 2025-02-13 | The Read More & Accordion plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the expmDeleteData() function in al… |
| CVE-2024-13358 | MEDIUM | 4.3 | 2025-03-01 | The BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on t… |
| CVE-2025-1780 | MEDIUM | 4.3 | 2025-03-01 | The BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on t… |
| CVE-2025-9219 | MEDIUM | 4.3 | 2025-09-03 | The Post SMTP – WP SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more plugin for WordPress is vulne… |
| CVE-2025-13354 | MEDIUM | 4.3 | 2025-12-03 | The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.40.1. This i… |
| CVE-2025-14371 | MEDIUM | 4.3 | 2026-01-06 | The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on th… |
| CVE-2026-4888 | MEDIUM | 4.3 | 2026-05-28 | The Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder plugin for WordPress is vulnerable to unauthorized email sending due to a missing capability che… |
| CVE-2025-1986 | MEDIUM | 4.1 | 2025-04-01 | The Gutentor WordPress plugin before 3.4.7 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks |
| CVE-2012-4421 | MEDIUM | 4.0 | 2012-09-14 | The create_post function in wp-includes/class-wp-atom-server.php in WordPress before 3.4.2 does not perform a capability check, which allows remote authenticated users to bypass i… |
| CVE-2012-4422 | LOW | 3.5 | 2012-09-14 | wp-admin/plugins.php in WordPress before 3.4.2, when the multisite feature is enabled, does not check for network-administrator privileges before performing a network-wide activat… |
| CVE-2012-3383 | LOW | 2.6 | 2012-07-22 | The map_meta_cap function in wp-includes/capabilities.php in WordPress 3.4.x before 3.4.2, when the multisite feature is enabled, does not properly assign the unfiltered_html capa… |
| CVE-2012-5868 | LOW | 2.6 | 2012-12-27 | WordPress 3.4.2 does not invalidate a wordpress_sec session cookie upon an administrator's logout action, which makes it easier for remote attackers to discover valid session iden… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 3.4 represents an unacceptable security risk in 2024. With 226 known vulnerabilities—10 of them critical—your website is vulnerable to SQL injection, unauthorized access, file inclusion attacks, and complete compromise. The good news: upgrading to a modern WordPress version is straightforward and protects your business, customers, and reputation.
Don't wait for a breach notification. SiteRecipe.com's advanced vulnerability scanner identifies outdated software, missing patches, and active exploits on your site in minutes. We'll show you exactly which vulnerabilities affect your WordPress installation and provide step-by-step remediation guidance. Start your free security scan today and stop operating in the cyber dark ages.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.