WordPress 3.4.2 contains 44 known security vulnerabilities, including 2 critical-severity flaws that could allow attackers to take over your website. If your site still runs this outdated version, you're at serious risk of compromise through path traversal attacks, privilege escalation, and SQL injection exploits. This guide explains what these vulnerabilities mean for your website and how to fix them immediately.
Our analysis reveals that 61 websites are currently exposed to these threats. The most dangerous vulnerabilities include the Hummingbird plugin's path traversal flaw and the Branda plugin's account takeover vulnerability. Even if you think you're protected, plugin vulnerabilities can bypass your main WordPress security measures.
The good news is that updating is straightforward. We'll walk you through identifying if you're vulnerable, understanding the risks, and implementing fixes that take just minutes to complete.
WordPress 3.4.2 is an older version of the WordPress content management system, released several years ago. It's the software that powers the backend of your website, allowing you to create pages, publish posts, manage users, and control how your site looks and functions. Think of it as the foundation of your website—everything you do relies on it working properly and securely.
This specific version (3.4.2) is no longer supported by WordPress developers, meaning it doesn't receive security updates or bug fixes anymore. When WordPress versions become outdated, hackers actively target them because they know about the vulnerabilities and can exploit websites still using the old code. Running WordPress 3.4.2 is like leaving your front door unlocked in a neighborhood where thieves know which houses have old locks.
44 CVEs found. The most critical are explained below.
The Hummingbird caching plugin has a flaw that allows attackers to write files in unintended locations on your server. This happens because the plugin doesn't properly check where cached files are being saved before creating them.
Impact: An attacker could place malicious files on your server, potentially taking control of your website or stealing sensitive data.
↗ View on NVDThe Branda plugin allows anyone to change user passwords without verifying they actually own the account. An attacker doesn't need to be logged in to exploit this vulnerability.
Impact: Attackers could take over any user account on your site, including administrator accounts, giving them complete control of your website.
↗ View on NVDThe BuddyPress WooCommerce plugin improperly processes certain data, allowing attackers to inject harmful code into your website. This happens when the plugin deserializes untrusted information.
Impact: An attacker could execute malicious code on your website, potentially stealing customer data, inserting spam, or taking control of your site.
↗ View on NVDThe My Calendar plugin has a flaw that lets anyone access your database directly without logging in. Attackers can manipulate search parameters to retrieve sensitive information.
Impact: Attackers could steal all event data and any private information stored in your database without needing a password.
↗ View on NVDThe wpDataTables plugin doesn't properly check who is allowed to view data in tables. A logged-in user can manipulate settings to see another user's private data from the same table.
Impact: Your users' private information displayed in tables could be exposed to other users who shouldn't have access to it.
↗ View on NVDThe wpDataTables plugin fails to properly verify permissions before allowing data deletion. A logged-in user can delete another user's data by changing table parameters.
Impact: Important data in your tables could be permanently deleted by users who shouldn't have permission to make those changes.
↗ View on NVDShowing first 10 of 38. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2021-24636 | HIGH | 8.1 | 2021-09-20 | The Print My Blog WordPress Plugin before 3.4.2 does not enforce nonce (CSRF) checks, which allows attackers to make logged in administrators deactivate the Print My Blog plugin a… |
| CVE-2021-24739 | HIGH | 8.1 | 2021-12-21 | The Logo Carousel WordPress plugin before 3.4.2 allows users with a role as low as Contributor to duplicate and view arbitrary private posts made by other users via the Carousel D… |
| CVE-2025-9048 | HIGH | 8.1 | 2025-08-23 | The Wptobe-memberships plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the del_img_ajax_call() function in all versions u… |
| CVE-2021-24651 | HIGH | 7.5 | 2021-10-11 | The Poll Maker WordPress plugin before 3.4.2 allows unauthenticated users to perform SQL injection via the ays_finish_poll AJAX action. While the result is not disclosed in the re… |
| CVE-2023-6222 | HIGH | 7.2 | 2023-12-18 | IThe Quttera Web Malware Scanner WordPress plugin before 3.4.2.1 does not validate user input used in a path, which could allow users with an admin role to perform path traversal … |
| CVE-2012-4448 | MEDIUM | 6.8 | 2012-09-28 | Cross-site request forgery (CSRF) vulnerability in wp-admin/index.php in WordPress 3.4.2 allows remote attackers to hijack the authentication of administrators for requests that m… |
| CVE-2020-36174 | MEDIUM | 6.5 | 2021-01-06 | The Ninja Forms plugin before 3.4.27.1 for WordPress allows CSRF via services integration. |
| CVE-2021-24199 | MEDIUM | 6.5 | 2021-04-12 | The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table … |
| CVE-2021-24200 | MEDIUM | 6.5 | 2021-04-12 | The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table … |
| CVE-2022-3926 | MEDIUM | 6.5 | 2022-12-05 | The WP OAuth Server (OAuth Authentication) WordPress plugin before 3.4.2 does not have CSRF check when regenerating secrets, which could allow attackers to make logged in admins r… |
| CVE-2023-5990 | MEDIUM | 6.5 | 2023-12-04 | The Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor WordPress plugin before 3.4.2 does not have CSRF checks on some of its form actions such as deleti… |
| CVE-2024-1123 | MEDIUM | 6.5 | 2024-03-09 | The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_fronte… |
| CVE-2024-2845 | MEDIUM | 6.4 | 2024-04-09 | The BetterDocs – Best Documentation, FAQ & Knowledge Base Plugin with AI Support & Instant Answer For Elementor & Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site… |
| CVE-2024-12304 | MEDIUM | 6.4 | 2025-01-11 | The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via button block link in all versions up to, a… |
| CVE-2025-6258 | MEDIUM | 6.4 | 2025-06-26 | The WP SoundSystem plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpsstm-track shortcode in all versions up to, and including, 3.4.2 due to ins… |
| CVE-2016-10961 | MEDIUM | 6.1 | 2019-09-16 | The colorway theme before 3.4.2 for WordPress has XSS via the contactName parameter. |
| CVE-2020-12462 | MEDIUM | 6.1 | 2020-04-29 | The ninja-forms plugin before 3.4.24.2 for WordPress allows CSRF with resultant XSS. |
| CVE-2024-0591 | MEDIUM | 6.1 | 2024-03-13 | The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'A' parameter in all ver… |
| CVE-2024-5155 | MEDIUM | 6.1 | 2024-06-14 | The Inquiry cart WordPress plugin through 3.4.2 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logge… |
| CVE-2024-8549 | MEDIUM | 6.1 | 2024-09-25 | The Simple Calendar – Google Calendar Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on t… |
| CVE-2026-4090 | MEDIUM | 6.1 | 2026-04-22 | The Inquiry Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.2. This is due to missing nonce verification in the rd_… |
| CVE-2020-8594 | MEDIUM | 5.4 | 2020-02-14 | The Ninja Forms plugin 3.4.22 for WordPress has Multiple Stored XSS vulnerabilities via ninja_forms[recaptcha_site_key], ninja_forms[recaptcha_secret_key], ninja_forms[recaptcha_l… |
| CVE-2021-24738 | MEDIUM | 5.4 | 2021-12-21 | The Logo Carousel WordPress plugin before 3.4.2 does not validate and escape the "Logo Margin" carousel option, which could allow users with a role as low as Contributor to perfor… |
| CVE-2024-1274 | MEDIUM | 5.4 | 2024-04-02 | The My Calendar WordPress plugin before 3.4.24 does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Cross-Site Scripti… |
| CVE-2020-36173 | MEDIUM | 5.3 | 2021-01-06 | The Ninja Forms plugin before 3.4.28 for WordPress lacks escaping for submissions-table fields. |
| CVE-2020-36175 | MEDIUM | 5.3 | 2021-01-06 | The Ninja Forms plugin before 3.4.27.1 for WordPress allows attackers to bypass validation via the email field. |
| CVE-2023-6065 | MEDIUM | 5.3 | 2023-12-18 | The Quttera Web Malware Scanner WordPress plugin before 3.4.2.1 doesn't restrict access to detailed scan logs, which allows a malicious actor to discover local paths and portions … |
| CVE-2024-1321 | MEDIUM | 5.3 | 2024-03-13 | The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 3.4.2. This is due to the plugin … |
| CVE-2024-4895 | MEDIUM | 4.7 | 2024-05-23 | The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the CSV import functionality in… |
| CVE-2020-36758 | MEDIUM | 4.3 | 2023-10-20 | The RSS Aggregator by Feedzy plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4.2. This is due to missing or incorrect nonce va… |
| CVE-2024-1126 | MEDIUM | 4.3 | 2024-03-13 | The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_attendees_ema… |
| CVE-2024-13639 | MEDIUM | 4.3 | 2025-02-13 | The Read More & Accordion plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the expmDeleteData() function in al… |
| CVE-2024-13358 | MEDIUM | 4.3 | 2025-03-01 | The BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on t… |
| CVE-2025-1780 | MEDIUM | 4.3 | 2025-03-01 | The BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on t… |
| CVE-2012-4421 | MEDIUM | 4.0 | 2012-09-14 | The create_post function in wp-includes/class-wp-atom-server.php in WordPress before 3.4.2 does not perform a capability check, which allows remote authenticated users to bypass i… |
| CVE-2012-4422 | LOW | 3.5 | 2012-09-14 | wp-admin/plugins.php in WordPress before 3.4.2, when the multisite feature is enabled, does not check for network-administrator privileges before performing a network-wide activat… |
| CVE-2012-3383 | LOW | 2.6 | 2012-07-22 | The map_meta_cap function in wp-includes/capabilities.php in WordPress 3.4.x before 3.4.2, when the multisite feature is enabled, does not properly assign the unfiltered_html capa… |
| CVE-2012-5868 | LOW | 2.6 | 2012-12-27 | WordPress 3.4.2 does not invalidate a wordpress_sec session cookie upon an administrator's logout action, which makes it easier for remote attackers to discover valid session iden… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 3.4.2 poses an unacceptable security risk with 44 known vulnerabilities ready to be exploited. The two critical-severity flaws alone could lead to complete website compromise, data theft, or malware installation. Delaying this update puts your business, customer data, and reputation in danger. The update process takes less than 30 minutes and is essential maintenance, not optional.
Use SiteRecipe.com's security scanning tools to identify all vulnerabilities on your website and monitor for future threats. Our platform continuously checks for CVEs, outdated versions, and misconfigurations, alerting you before attackers find them. Stop worrying about security—let SiteRecipe automate your vulnerability management and keep your WordPress site protected 24/7.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.