WordPress 3.5.2 is an outdated version that contains 31 known security vulnerabilities, including 3 critical flaws that could allow attackers to take complete control of your website. While this version was released over a decade ago, security research shows that 56 websites are still running it—putting their data, visitor information, and business reputation at serious risk.
If your site is still powered by WordPress 3.5.2, you're likely exposed to multiple attack vectors including remote code execution, SQL injection, and cross-site scripting (XSS) attacks. These vulnerabilities can be exploited by cybercriminals to steal sensitive data, inject malware, deface your website, or use your server for illegal activities.
This comprehensive guide will help you understand what vulnerabilities exist in WordPress 3.5.2, how to check if you're affected, and most importantly, how to upgrade and secure your website immediately.
WordPress 3.5.2 was released in 2013 as a maintenance update to the popular content management system. At that time, it was considered secure and included several bug fixes and improvements. However, like all software, WordPress evolves to address newly discovered security threats. WordPress 3.5.2 is now nearly 11 years old, and security researchers have identified numerous vulnerabilities that didn't exist when the version was released.
Think of WordPress 3.5.2 like an old lock on your front door. When it was installed, it provided adequate security for its time. But as thieves develop new lock-picking techniques, that old lock becomes increasingly vulnerable to break-ins. Modern WordPress versions are regularly updated with security patches to defend against new threats, while WordPress 3.5.2 receives no updates whatsoever, leaving it exposed to contemporary attack methods.
31 CVEs found. The most critical are explained below.
The Social Warfare plugin has a serious flaw that lets hackers run their own commands directly on your website's server. This happens through a feature called 'swp_url' that doesn't properly check what data it receives.
Impact: A hacker could take complete control of your website, steal customer data, install malware, or shut down your site entirely without needing to log in.
↗ View on NVDThe Astra Pro Addon plugin fails to properly filter user input before using it in database requests. Attackers can exploit this through pagination features that work for both visitors and logged-in users.
Impact: Hackers can access, modify, or delete your database contents, potentially exposing sensitive customer information or corrupting your website's data.
↗ View on NVDThe WP User Frontend plugin stores encrypted account permission levels in user registration forms. If an attacker obtains your site's encryption keys, they can decrypt and modify what permissions new accounts receive.
Impact: An attacker could create admin accounts for themselves, giving them full control over your website and all its data.
↗ View on NVDAn older file upload feature in WordPress (before version 3.5.2) doesn't properly validate text parameters, allowing attackers to inject malicious scripts. This flaw exists in the SWFupload tool used for media uploads.
Impact: Visitors to your site could be redirected to malicious pages, have their information stolen, or experience their browsers infected with malware.
↗ View on NVDThe WP User Frontend plugin's subscriber dashboard doesn't properly filter the 'status' parameter before querying the database. This allows attackers to inject malicious code through the subscriber management area.
Impact: Hackers can access your subscriber database, modify records, display hidden information on your site, or compromise visitor browsers through injected scripts.
↗ View on NVDThe Easy Property Listings plugin doesn't properly secure the 'property_status' shortcode, allowing attackers to craft special queries that slowly extract information from your database without being detected immediately.
Impact: Attackers can slowly steal sensitive data from your database over time, including property information and potentially customer details.
↗ View on NVDShowing first 10 of 25. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2024-3240 | HIGH | 8.8 | 2024-05-04 | The ConvertPlug plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.5.25 via deserialization of untrusted input from the 'settings_e… |
| CVE-2024-13655 | HIGH | 8.1 | 2025-03-07 | The Flex Mag - Responsive WordPress News Theme theme for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capabil… |
| CVE-2024-4838 | HIGH | 7.5 | 2024-05-16 | The ConvertPlus plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.5.26 via deserialization of untrusted input from the 'settings_e… |
| CVE-2025-30608 | HIGH | 7.1 | 2025-03-24 | Cross-Site Request Forgery (CSRF) vulnerability in Anthony WordPress SQL Backup wordpress-sql-backup allows Stored XSS.This issue affects WordPress SQL Backup: from n/a through <=… |
| CVE-2024-3988 | MEDIUM | 6.4 | 2024-04-25 | The Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) plugin for WordPress is vulnerable to Stor… |
| CVE-2024-7136 | MEDIUM | 6.4 | 2024-08-16 | The JetSearch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 3.5.2 due to insufficient input saniti… |
| CVE-2025-4610 | MEDIUM | 6.4 | 2025-05-17 | The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpmem_user_memberships shortcode in all versions up to, and inc… |
| CVE-2025-4479 | MEDIUM | 6.4 | 2025-06-19 | The ElementsKit Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin image comparison widget's before/after labels in al… |
| CVE-2025-6756 | MEDIUM | 6.4 | 2025-07-01 | The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's UACF7_CUSTOM_FIELDS shortcode in all versions up to, and inc… |
| CVE-2025-3614 | MEDIUM | 6.4 | 2025-07-24 | The ElementsKit Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL attribute of a custom widget in all versions up to, an… |
| CVE-2024-3237 | MEDIUM | 5.4 | 2024-05-04 | The ConvertPlug plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cp_dismiss_notice() function in all versions up to… |
| CVE-2023-7252 | MEDIUM | 5.3 | 2024-04-22 | The Tickera WordPress plugin before 3.5.2.5 does not prevent users from leaking other users' tickets. |
| CVE-2025-11271 | MEDIUM | 5.3 | 2025-11-06 | The Easy Digital Downloads plugin for WordPress is vulnerable to Order Manipulation in all versions up to, and including, 3.5.2 due to an order verification bypass. The verificati… |
| CVE-2023-5243 | MEDIUM | 4.8 | 2023-10-31 | The Login Screen Manager WordPress plugin through 3.5.2 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored C… |
| CVE-2024-7955 | MEDIUM | 4.8 | 2024-09-10 | The Starbox WordPress plugin before 3.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scr… |
| CVE-2013-2199 | MEDIUM | 4.3 | 2013-07-08 | The HTTP API in WordPress before 3.5.2 allows remote attackers to send HTTP requests to intranet servers via unspecified vectors, related to a Server-Side Request Forgery (SSRF) i… |
| CVE-2013-2201 | MEDIUM | 4.3 | 2013-07-08 | Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.5.2 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) uploads of me… |
| CVE-2013-2202 | MEDIUM | 4.3 | 2013-07-08 | WordPress before 3.5.2 allows remote attackers to read arbitrary files via an oEmbed XML provider response containing an external entity declaration in conjunction with an entity … |
| CVE-2013-2203 | MEDIUM | 4.3 | 2013-07-08 | WordPress before 3.5.2, when the uploads directory forbids write access, allows remote attackers to obtain sensitive information via an invalid upload request, which reveals the a… |
| CVE-2013-2204 | MEDIUM | 4.3 | 2013-07-08 | moxieplayer.as in Moxiecode moxieplayer, as used in the TinyMCE Media plugin in WordPress before 3.5.2 and other products, does not consider the presence of a # (pound sign) chara… |
| CVE-2013-2205 | MEDIUM | 4.3 | 2013-07-08 | The default configuration of SWFUpload in WordPress before 3.5.2 has an unrestrictive security.allowDomain setting, which allows remote attackers to bypass the Same Origin Policy … |
| CVE-2022-1842 | MEDIUM | 4.3 | 2022-06-27 | The OpenBook Book Data WordPress plugin through 3.5.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change th… |
| CVE-2024-5860 | MEDIUM | 4.3 | 2024-06-18 | The Tickera – WordPress Event Ticketing plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the tc_dl_delete_tickets AJAX action i… |
| CVE-2026-1298 | MEDIUM | 4.3 | 2026-01-28 | The Easy Replace Image plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.5.2. This is due to missing capability checks on the `im… |
| CVE-2013-2200 | MEDIUM | 4.0 | 2013-07-08 | WordPress before 3.5.2 does not properly check the capabilities of roles, which allows remote authenticated users to bypass intended restrictions on publishing and authorship reas… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
Running WordPress 3.5.2 is like leaving your front door wide open for cybercriminals. With 3 critical vulnerabilities allowing remote code execution, plus SQL injection flaws and XSS attacks, your website is in serious danger. The good news is that upgrading is straightforward and takes less than an hour for most sites. Modern WordPress versions include automatic security updates, powerful built-in security features, and ongoing support from thousands of developers worldwide.
Don't wait for a security breach to force action. Use SiteRecipe.com to scan your website for vulnerabilities today, get a detailed report of any issues, and receive personalized recommendations for securing your site. Our expert security team can guide you through every step of the upgrade process and help you implement best practices to keep your WordPress site safe. Visit SiteRecipe.com now and take the first step toward a more secure website.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.