WordPress 3.4.1 is an older version of the popular content management system that currently has 42 known security vulnerabilities, including 3 critical-level flaws that pose immediate risks to your website. If you're still running this version, your site could be exposed to SQL injection attacks, authentication bypass, local file inclusion, and privilege escalation exploits. This comprehensive guide will help you identify if you're vulnerable and provide step-by-step instructions to protect your WordPress installation.
Approximately 37 websites are still using WordPress 3.4.1, making it a potential target for cybercriminals who actively exploit known vulnerabilities in outdated software. The most dangerous CVEs affecting this version include critical SQL injection flaws in the WCFM Marketplace plugin, authentication bypass vulnerabilities in the Burst Statistics plugin, and local file inclusion issues in the Post Grid Master plugin. Taking immediate action is essential to prevent data breaches, malware infections, and unauthorized access to your website.
WordPress 3.4.1 is an older version of WordPress, the world's most popular website builder and content management system used by millions of websites. WordPress allows users to create, publish, and manage digital content without extensive coding knowledge. Version 3.4.1 was released years ago and is no longer supported by the WordPress development team, meaning it doesn't receive regular security updates that protect against new threats.
When software becomes outdated, security vulnerabilities—weaknesses in the code that hackers can exploit—accumulate over time. WordPress 3.4.1 has 42 known vulnerabilities that malicious actors can use to attack your site. These weaknesses can allow attackers to steal sensitive data, inject malicious code, take over user accounts, or completely compromise your website's functionality. Continuing to use outdated WordPress versions is like leaving your front door unlocked; it's only a matter of time before someone takes advantage.
42 CVEs found. The most critical are explained below.
The WCFM Marketplace plugin has a serious flaw that allows hackers to inject malicious commands directly into your website's database. This works whether someone is logged in or not, making it especially dangerous. Attackers can read, modify, or delete your sensitive data.
Impact: Hackers could steal customer information, modify product prices, access payment details, or completely corrupt your database, taking your store offline.
↗ View on NVDThe Post Grid Master plugin allows attackers to access files on your server that they shouldn't be able to reach. This is like leaving your filing cabinet unlocked in the lobby. Hackers can view sensitive configuration files containing passwords and API keys.
Impact: Attackers could discover database credentials, API keys, and other secrets stored on your server, leading to complete compromise of your website and connected services.
↗ View on NVDThe Burst Statistics analytics plugin has a flaw in how it validates user identity. Attackers can bypass the authentication system, meaning they don't need valid credentials to gain access. This is like a broken lock on your front door.
Impact: Someone could access your analytics data, modify settings, or potentially access connected admin functions without knowing your password.
↗ View on NVDThe WP-Testimonials plugin allows logged-in users to run dangerous database commands through a specific feature. Even users with minimal permissions can exploit this vulnerability. It's like giving everyone a key to your database.
Impact: Malicious users could steal customer data, modify testimonials, access sensitive information, or damage your database structure.
↗ View on NVDThe WCFM plugin doesn't properly check user permissions on certain functions. This means a subscriber or low-level user can perform actions that should only be available to administrators. It's like someone with a basic membership accessing VIP areas.
Impact: Low-level users could modify marketplace settings, access vendor data, change commissions, or manipulate product information without authorization.
↗ View on NVDThe Sunshine Photo Cart plugin doesn't properly verify security keys when validating user sessions. Attackers can forge these keys to take over accounts. This is similar to someone copying a house key from a photo.
Impact: Hackers could take over customer accounts, access private photos and galleries, impersonate users, and potentially steal payment information.
↗ View on NVDShowing first 10 of 36. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2023-5815 | HIGH | 8.1 | 2023-11-22 | The News & Blog Designer Pack – WordPress Blog Plugin — (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post Ticker, Blog Post Masonry) plugin for WordPress is vulnera… |
| CVE-2015-9341 | HIGH | 7.5 | 2019-08-22 | The wp-file-upload plugin before 3.4.1 for WordPress has insufficient restrictions on upload of .php.js files. |
| CVE-2024-13480 | HIGH | 7.5 | 2025-02-12 | The LTL Freight Quotes – For Customers of FedEx Freight plugin for WordPress is vulnerable to SQL Injection via the 'edit_id' and 'dropship_edit_id' parameters in all versions up … |
| CVE-2026-4304 | HIGH | 7.5 | 2026-05-05 | The WeePie Cookie Allow plugin for WordPress is vulnerable to SQL Injection via the 'consent' parameter in all versions up to, and including, 3.4.11 due to insufficient escaping o… |
| CVE-2015-5533 | HIGH | 7.2 | 2017-10-23 | SQL injection vulnerability in counter-options.php in the Count Per Day plugin before 3.4.1 for WordPress allows remote authenticated administrators to execute arbitrary SQL comma… |
| CVE-2012-3384 | MEDIUM | 6.8 | 2012-07-22 | Cross-site request forgery (CSRF) vulnerability in the customizer in WordPress before 3.4.1 allows remote attackers to hijack the authentication of unspecified victims via unknown… |
| CVE-2025-14973 | MEDIUM | 6.8 | 2026-01-26 | The Recipe Card Blocks Lite WordPress plugin before 3.4.13 does not sanitize and escape a parameter before using it in a SQL statement, allowing contributors and above to perform … |
| CVE-2022-35242 | MEDIUM | 6.5 | 2022-08-23 | Unauthenticated plugin settings change vulnerability in 59sec THE Leads Management System: 59sec LITE plugin <= 3.4.1 at WordPress. |
| CVE-2023-5110 | MEDIUM | 6.4 | 2023-10-25 | The BSK PDF Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'bsk-pdfm-category-dropdown' shortcode in versions up to, and including, 3.4.1 due to ins… |
| CVE-2023-5665 | MEDIUM | 6.4 | 2024-02-08 | The Payment Forms for Paystack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 3.4.1 due to ins… |
| CVE-2024-0873 | MEDIUM | 6.4 | 2024-04-09 | The Watu Quiz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'watu-basic-chart' shortcode in all versions up to, and including, 3.4.1 due to in… |
| CVE-2024-5191 | MEDIUM | 6.4 | 2024-06-21 | The Branda – White Label WordPress, Custom Login Page Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mime_types’ parameter in all versions u… |
| CVE-2025-3521 | MEDIUM | 6.4 | 2025-05-01 | The Team Members – Best WordPress Team Plugin with Team Slider, Team Showcase & Team Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Social Link icon… |
| CVE-2022-4936 | MEDIUM | 6.3 | 2023-04-05 | The WCFM Marketplace plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4.11 due to missing nonce checks on various AJAX actions.… |
| CVE-2016-10898 | MEDIUM | 6.1 | 2019-08-21 | The total-security plugin before 3.4.1 for WordPress has XSS. |
| CVE-2024-9371 | MEDIUM | 6.1 | 2024-11-21 | The Branda – White Label & Branding, Custom Login Page Customizer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without a… |
| CVE-2025-5084 | MEDIUM | 6.1 | 2025-07-24 | The Post Grid Master plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘argsArray['read_more_text']’ parameter in all versions up to, and including, 3.4… |
| CVE-2026-2902 | MEDIUM | 6.1 | 2026-04-29 | The WP Meteor Website Speed Optimization Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'frontend_rewrite' function's 'WPMETEOR[N]WPMETEOR' placeh… |
| CVE-2024-37239 | MEDIUM | 5.9 | 2024-07-22 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPMU DEV - Your All-in-One WordPress Platform Branda branda-white-labeling.Th… |
| CVE-2020-14962 | MEDIUM | 5.4 | 2020-06-22 | Multiple XSS vulnerabilities in the Final Tiles Gallery plugin before 3.4.19 for WordPress allow remote attackers to inject arbitrary web script or HTML via the Title (aka imageTi… |
| CVE-2021-24153 | MEDIUM | 5.4 | 2021-04-05 | A Stored Cross-Site Scripting vulnerability was discovered in the Yoast SEO WordPress plugin before 3.4.1, which had built-in blacklist filters which were blacklisting Parenthesis… |
| CVE-2021-24470 | MEDIUM | 5.4 | 2021-08-02 | The Yada Wiki WordPress plugin before 3.4.1 did not sanitise, validate or escape the anchor attribute of its shortcode, leading to a Stored Cross-Site Scripting issue |
| CVE-2021-24671 | MEDIUM | 5.4 | 2021-09-27 | The MX Time Zone Clocks WordPress plugin before 3.4.1 does not escape the time_zone attribute of the mxmtzc_time_zone_clocks shortcode, allowing users with a role as low as Contri… |
| CVE-2022-0898 | MEDIUM | 5.4 | 2022-05-09 | The IgniteUp WordPress plugin through 3.4.1 does not sanitise and escape some fields when high privilege users don't have the unfiltered_html capability, which could lead to Store… |
| CVE-2022-1393 | MEDIUM | 5.4 | 2022-05-16 | The WP Subtitle WordPress plugin before 3.4.1 adds a subtitle field and provides a shortcode to display it via [wp_subtitle]. The subtitle is stored as a custom post meta with the… |
| CVE-2022-1780 | MEDIUM | 5.4 | 2022-06-13 | The LaTeX for WordPress plugin through 3.4.10 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a… |
| CVE-2022-4507 | MEDIUM | 5.4 | 2023-01-16 | The Real Cookie Banner WordPress plugin before 3.4.10 does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow use… |
| CVE-2024-2640 | MEDIUM | 5.4 | 2024-07-12 | The Watu Quiz WordPress plugin before 3.4.1.2 does not sanitise and escape some of its settings, which could allow users such as authors (if they've been authorized by admins) to … |
| CVE-2016-10899 | MEDIUM | 5.3 | 2019-08-21 | The total-security plugin before 3.4.1 for WordPress has a settings-change vulnerability. |
| CVE-2024-6554 | MEDIUM | 5.3 | 2024-07-11 | The Branda – White Label WordPress, Custom Login Page Customizer plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.4.18. This is d… |
| CVE-2012-3385 | MEDIUM | 5.0 | 2012-07-22 | WordPress before 3.4.1 does not properly restrict access to post contents such as private or draft posts, which allows remote authors or contributors to obtain sensitive informati… |
| CVE-2022-0833 | MEDIUM | 4.3 | 2022-03-28 | The Church Admin WordPress plugin before 3.4.135 does not have authorisation and CSRF in some of its action as well as requested files, allowing unauthenticated attackers to repea… |
| CVE-2024-1124 | MEDIUM | 4.3 | 2024-03-09 | The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the ep_send_attendees_… |
| CVE-2024-1127 | MEDIUM | 4.3 | 2024-03-13 | The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the booking_export_al… |
| CVE-2024-0872 | MEDIUM | 4.3 | 2024-04-09 | The Watu Quiz plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.4.1 via the watu-userinfo shortcode. This makes it possi… |
| CVE-2025-9219 | MEDIUM | 4.3 | 2025-09-03 | The Post SMTP – WP SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more plugin for WordPress is vulne… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 3.4.1 is no longer safe for production websites. With 42 known vulnerabilities including 3 critical-level flaws, continuing to use this version puts your business at serious risk of data breaches, malware infections, and complete website compromise. The cybercriminals actively exploit these known vulnerabilities, and with only 37 sites still running this version, you're an easy target. Upgrading to the latest WordPress version and updating all plugins takes just minutes but provides essential protection for your digital assets.
Don't wait for a security incident to force your hand. Use SiteRecipe.com's vulnerability scanning and security monitoring tools to identify all weaknesses in your WordPress installation and receive step-by-step remediation guidance tailored to your specific setup. Our platform continuously monitors your site for emerging threats and notifies you immediately if vulnerabilities are detected. Protect your website, your customer data, and your reputation today—visit SiteRecipe.com to run your first free security scan and see exactly what vulnerabilities your site has and how to fix them.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.