WordPress 3.5.1 contains a staggering 48 known vulnerabilities, including 3 critical security flaws that could expose your website to complete compromise. Despite being an older version, 131 websites worldwide still run this vulnerable software, making them prime targets for cybercriminals. If your site is among them, immediate action is required.
Our security team has analyzed the top threats in WordPress 3.5.1, including privilege escalation attacks, remote code execution, and CSRF vulnerabilities. This comprehensive guide will help you identify if your website is at risk and provide step-by-step instructions to secure your installation before attackers strike.
WordPress 3.5.1 is an older version of the world's most popular website platform, released years ago with outdated security standards. While it was once considered stable, technology evolves rapidly and new attack methods emerge constantly. This version lacks the modern security protections built into current WordPress releases, making it increasingly dangerous to operate in today's threat landscape.
Think of WordPress like a house: older homes may still function, but they lack modern security features like alarm systems and reinforced locks. WordPress 3.5.1 is that aging house—it might technically work, but it's vulnerable to intruders who know its weaknesses. The 48 documented vulnerabilities are like 48 different ways someone could break in, and hackers actively exploit these known entry points.
48 CVEs found. The most critical are explained below.
The Real Estate 7 theme allows anyone to register on your site and automatically assign themselves as an administrator during signup. Attackers can bypass normal registration rules and gain full control of your website without needing valid credentials.
Impact: Attackers could take over your entire website, access sensitive data, modify content, or use your site to spread malware to visitors.
↗ View on NVDThe InWave Jobs plugin allows anyone to reset and change any user's password without proof of identity. An attacker can take over accounts by simply resetting passwords, including administrator accounts.
Impact: Attackers can hijack any user account including yours, lock you out of your own site, and gain complete administrative access.
↗ View on NVDSmart Slider 3 Pro's update system was compromised and injected with malware. When you update the plugin, attackers automatically gain remote access to execute any commands on your server.
Impact: Your entire server could be compromised, allowing attackers to steal data, install ransomware, or use your server for illegal purposes.
↗ View on NVDThe Private Only plugin has security flaws that allow attackers to trick administrators into performing unauthorized actions through forged requests. Attackers can add fake users, delete posts, or modify website files.
Impact: Your site could have unauthorized users added, important content deleted, or core website files changed without your knowledge or consent.
↗ View on NVDSmart Slider 3 plugin doesn't properly check files you import. If you accidentally import a malicious file, attackers can inject harmful code into your website through PHP object injection.
Impact: Attackers could execute malicious code on your server if you import a compromised slider file, potentially compromising your entire site.
↗ View on NVDThe Stars Rating plugin doesn't properly validate rating submissions. Attackers can submit extremely large numbers that crash your comments section or dashboard.
Impact: Your website's comments section or admin dashboard could become unusable, disrupting normal site operations and user experience.
↗ View on NVDShowing first 10 of 42. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2025-2186 | HIGH | 7.5 | 2025-03-22 | The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit plugin for WordPress is vulnerable to SQL Injection via the ‘automationId’… |
| CVE-2025-7504 | HIGH | 7.5 | 2025-07-12 | The Friends plugin for WordPress is vulnerable to PHP Object Injection in version 3.5.1 via deserialization of untrusted input of the query_vars parameter This makes it possible f… |
| CVE-2025-6220 | HIGH | 7.2 | 2025-06-18 | The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'save_options' function in all versions… |
| CVE-2025-6212 | HIGH | 7.2 | 2025-06-26 | The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Database module in versions 3.5.11 to 3.5.19 due to insufficient inpu… |
| CVE-2014-8603 | MEDIUM | 6.5 | 2015-06-10 | cloner.functions.php in the XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! allows remote administrators to execute arbitrary code via shell metacharacters in the (1) fil… |
| CVE-2023-6077 | MEDIUM | 6.5 | 2023-12-18 | The Slider WordPress plugin before 3.5.12 does not ensure that posts to be accessed via an AJAX action are slides and can be viewed by the user making the request, allowing any au… |
| CVE-2024-23517 | MEDIUM | 6.5 | 2024-02-10 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Start Booking Scheduling Plugin – Online Booking for WordPress allows Stored … |
| CVE-2024-1634 | MEDIUM | 6.5 | 2024-06-18 | The Scheduling Plugin – Online Booking for WordPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'cbsb_disconnect_sett… |
| CVE-2026-3098 | MEDIUM | 6.5 | 2026-03-27 | The Smart Slider 3 plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.5.1.33 via the 'actionExportAll' function. This makes it possi… |
| CVE-2013-0235 | MEDIUM | 6.4 | 2013-07-08 | The XMLRPC API in WordPress before 3.5.1 allows remote attackers to send HTTP requests to intranet servers, and conduct port-scanning attacks, by specifying a crafted source URL f… |
| CVE-2024-1424 | MEDIUM | 6.4 | 2024-04-09 | The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and in… |
| CVE-2024-3027 | MEDIUM | 6.4 | 2024-04-13 | The Smart Slider 3 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the upload function in all versions up to, and incl… |
| CVE-2024-6458 | MEDIUM | 6.4 | 2024-07-27 | The WooCommerce Product Table Lite plugin for WordPress is vulnerable to unauthorized post title modification due to a missing capability check on the wcpt_presets__duplicate_pres… |
| CVE-2025-5678 | MEDIUM | 6.4 | 2025-07-09 | The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘redirectURL’ parameter in all version… |
| CVE-2017-15863 | MEDIUM | 6.1 | 2017-10-24 | Cross Site Scripting (XSS) exists in the wp-noexternallinks plugin before 3.5.19 for WordPress via the date1 or date2 parameter to wp-admin/options-general.php. |
| CVE-2024-9436 | MEDIUM | 6.1 | 2024-10-11 | The PublishPress Revisions: Duplicate Posts, Submit, Approve and Schedule Content Changes plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of ad… |
| CVE-2018-20368 | MEDIUM | 5.4 | 2018-12-23 | The Master Slider plugin 3.2.7 and 3.5.1 for WordPress has XSS via the wp-admin/admin-ajax.php Name input field of the MSPanel.Settings value on Callback. |
| CVE-2023-0660 | MEDIUM | 5.4 | 2023-03-27 | The Smart Slider 3 WordPress plugin before 3.5.1.14 does not properly validate and escape some of its shortcode attributes before outputting them back in a page/post where the sho… |
| CVE-2026-4065 | MEDIUM | 5.4 | 2026-04-07 | The Smart Slider 3 plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on multiple wp_ajax_smart-slider3 controller… |
| CVE-2024-6545 | MEDIUM | 5.3 | 2024-07-27 | The Admin Trim Interface plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.5.1. This is due to the plugin utilizing bootstrap and … |
| CVE-2024-10813 | MEDIUM | 5.3 | 2024-11-23 | The Product Table for WooCommerce by CodeAstrology (wooproducttable.com) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including,… |
| CVE-2025-11816 | MEDIUM | 5.3 | 2025-11-01 | The Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missi… |
| CVE-2010-4403 | MEDIUM | 5.0 | 2010-12-06 | The Register Plus plugin 3.5.1 and earlier for WordPress allows remote attackers to obtain sensitive information via a direct request to (1) dash_widget.php and (2) register-plus.… |
| CVE-2014-8604 | MEDIUM | 5.0 | 2015-06-10 | The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! returns the MySQL password in cleartext to a text box in the configuration panel, which allows remote attackers to obt… |
| CVE-2014-8605 | MEDIUM | 5.0 | 2015-06-10 | The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! stores database backup files with predictable names under the web root with insufficient access control, which allows … |
| CVE-2025-6348 | MEDIUM | 4.9 | 2025-07-30 | The Smart Slider 3 plugin for WordPress is vulnerable to time-based SQL Injection via the ‘sliderid’ parameter in all versions up to, and including, 3.5.1.28 due to insufficient e… |
| CVE-2026-9197 | MEDIUM | 4.9 | 2026-06-06 | The Smart Slider 3 plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.5.1.36 via the replaceHTMLImage function. This makes it possib… |
| CVE-2022-2118 | MEDIUM | 4.8 | 2022-07-17 | The 404s WordPress plugin before 3.5.1 does not sanitise and escape its fields, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the u… |
| CVE-2025-12034 | MEDIUM | 4.4 | 2025-10-25 | The Fast Velocity Minify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.5.1 due to insufficient input… |
| CVE-2010-4402 | MEDIUM | 4.3 | 2010-12-06 | Multiple cross-site scripting (XSS) vulnerabilities in wp-login.php in the Register Plus plugin 3.5.1 and earlier for WordPress allow remote attackers to inject arbitrary web scri… |
| CVE-2013-2173 | MEDIUM | 4.3 | 2013-06-21 | wp-includes/class-phpass.php in WordPress 3.5.1, when a password-protected post exists, allows remote attackers to cause a denial of service (CPU consumption) via a crafted value … |
| CVE-2013-0236 | MEDIUM | 4.3 | 2013-07-08 | Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.5.1 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) gallery short… |
| CVE-2013-0237 | MEDIUM | 4.3 | 2013-07-08 | Cross-site scripting (XSS) vulnerability in Plupload.as in Moxiecode plupload before 1.5.5, as used in WordPress before 3.5.1 and other products, allows remote attackers to inject… |
| CVE-2022-4549 | MEDIUM | 4.3 | 2023-01-16 | The Tickera WordPress plugin before 3.5.1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged-in admin change them via a C… |
| CVE-2021-4416 | MEDIUM | 4.3 | 2023-07-12 | The wp-mpdf plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.5.1. This is due to missing or incorrect nonce validation on the m… |
| CVE-2023-6492 | MEDIUM | 4.3 | 2024-06-14 | The Simple Sitemap – Create a Responsive HTML Sitemap plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.5.13. This is due to… |
| CVE-2024-11154 | MEDIUM | 4.3 | 2024-11-20 | The PublishPress Revisions: Duplicate Posts, Submit, Approve and Schedule Content Changes plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up t… |
| CVE-2026-1930 | MEDIUM | 4.3 | 2026-04-22 | The Emailchef plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the page_options_ajax_disconnect() function in all versi… |
| CVE-2014-8606 | MEDIUM | 4.0 | 2015-06-10 | Directory traversal vulnerability in the XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! allows remote administrators to read arbitrary files via a .. (dot dot) in the fi… |
| CVE-2025-8013 | LOW | 3.8 | 2025-08-15 | The Quttera Web Malware Scanner plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.5.1.41 via the 'RunExternalScan' function… |
| CVE-2014-8607 | LOW | 2.1 | 2015-06-10 | The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! provides the MySQL username and password on the command line, which allows local users to obtain sensitive information… |
| CVE-2012-10025 | N/A | — | 2025-08-05 | The WordPress plugin Advanced Custom Fields (ACF) version 3.5.1 and below contains a remote file inclusion (RFI) vulnerability in core/actions/export.php. When the PHP configurati… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 3.5.1 is no longer safe to operate. With 3 critical vulnerabilities allowing remote code execution and privilege escalation, your website could be completely compromised within days. The good news is that updating is straightforward and takes just minutes—far less time than recovering from a security breach.
Don't become another statistic. Use SiteRecipe.com's comprehensive WordPress security scanning tools to identify all vulnerabilities on your site, get personalized remediation guidance, and monitor your installation continuously. Our platform catches security issues before attackers do. Start your free security audit today at SiteRecipe.com and protect your business from these critical threats.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.