    Home /
    Blog /
    wordpress 3.6
  

Security Advisory

WordPress 3.6 Security Alert: 167 CVEs Found in 2024

    📅 June 07, 2026
    ·⏱ 5 min read
    ·🔒 SiteRecipe Security Team
  

⚠ 34 websites still running wordpress 3.6 → View full list

167

Total

Critical

High

120

Medium

Low

WordPress 3.6, released in 2013, is now a legacy version that poses serious security risks to any website still running it. Recent security audits have uncovered 167 vulnerabilities, including 11 critical flaws that could allow attackers to take complete control of your site. If you're operating a website on this outdated platform, you're potentially exposing sensitive customer data, compromising site functionality, and risking complete system breach.

The most dangerous vulnerabilities in WordPress 3.6 include SQL injection attacks through popular plugins, arbitrary password changes, privilege escalation, and PHP object injection. These aren't theoretical threats—they're actively exploited by cybercriminals targeting legacy WordPress installations. With 34 websites still running this version, the attack surface is real and immediate.

This comprehensive guide walks you through identifying whether your site is vulnerable, understanding the specific threats you face, and taking action to secure your WordPress installation before hackers do.

What is Wordpress 3.6?

WordPress 3.6 was released in September 2013 and introduced the Media Manager, a significant improvement to how site owners handle images and multimedia content. While innovative at the time, this version is now over a decade old and no longer receives security updates from WordPress.org. Think of it like using a car from 2013—it still runs, but it lacks modern safety features that protect you from contemporary threats.

Running WordPress 3.6 today is equivalent to leaving your front door unlocked in a neighborhood where break-ins are common. The platform has evolved dramatically since 2013, with each newer version incorporating security patches and modernized code architecture. Staying on an ancient version means you're missing all the hardening work that WordPress developers have done to protect against evolving cyber threats. Major plugins and themes have also stopped supporting this version, leaving you with incompatible software and zero security maintenance.

Key Vulnerabilities in Wordpress 3.6

167 CVEs found. The most critical are explained below.

CRITICAL CVE-2022-0814 9.8/10 · CVSS v3.1 ⏱ Immediate

Ubigeo de Perú for Woocommerce - Database Attack Vulnerability

This plugin has a serious security flaw that allows attackers to directly access and manipulate your website's database without needing a password. Hackers can steal customer information, orders, and payment details through this weakness.

Impact: Attackers could steal all your customer data, order history, and potentially modify or delete critical business information. This could lead to identity theft for your customers and loss of trust in your business.

↗ View on NVD

CRITICAL CVE-2022-0867 9.8/10 · CVSS v3.1 ⏱ Immediate

Pricing Table Plugin - Database Injection Attack

The Pricing Table plugin fails to properly protect data entry points, allowing attackers to inject harmful code directly into your database. This happens through publicly accessible features that don't require a login.

Impact: Hackers can access, steal, or corrupt your pricing information and customer data. They could also modify prices, steal sensitive business information, or hijack your website.

↗ View on NVD

CRITICAL CVE-2022-1386 9.8/10 · CVSS v3.1 ⏱ Immediate

Fusion Builder/Avada Theme - Malicious Request Vulnerability

This popular theme builder doesn't properly validate form inputs, allowing attackers to trick your website into making requests to other computers. The hacker can see what information is returned and use it for further attacks.

Impact: Attackers could use your website to attack other sites, steal information from your server, or gain access to internal systems connected to your website.

↗ View on NVD

CRITICAL CVE-2024-9862 9.8/10 · CVSS v3.1 ⏱ Immediate

Miniorange OTP Plugin - Account Takeover Vulnerability

This authentication plugin has a flaw that allows anyone to change user passwords without permission. An attacker can reset admin or customer passwords and take over accounts.

Impact: Your website admin account could be taken over by attackers, giving them complete control. Customers' accounts could also be compromised, leading to fraud and loss of trust.

↗ View on NVD

CRITICAL CVE-2024-9863 9.8/10 · CVSS v3.1 ⏱ Immediate

Miniorange OTP Plugin - Unauthorized Admin Registration

This plugin automatically assigns administrator privileges to new accounts due to insecure default settings. Anyone can register and gain full admin control of your website.

Impact: Attackers can create admin accounts and gain complete control of your website, your customer data, and all business operations. This is a complete compromise of your site.

↗ View on NVD

CRITICAL CVE-2024-13786 9.8/10 · CVSS v3.1 ⏱ Immediate

Education Theme - Code Injection Vulnerability

This theme improperly handles data in a way that lets attackers inject malicious code into your website. The flaw allows attackers to execute harmful commands without needing credentials.

Impact: Attackers can inject malware, steal data, redirect visitors to malicious sites, or take complete control of your website to use it for illegal activities.

↗ View on NVD

Additional Vulnerabilities (161 more)

Showing first 10 of 161. View all on NVD ↗

CVE ID	Severity	Score	Published	Description
CVE-2025-6758	CRITICAL	9.8	2025-08-19	The Real Spaces - WordPress Properties Directory Theme theme for WordPress is vulnerable to privilege escalation via the 'imic_agent_register' function in all versions up to, and …
CVE-2025-11833	CRITICAL	9.8	2025-11-01	The Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability ch…
CVE-2022-36386	CRITICAL	9.1	2022-09-21	Authenticated Arbitrary Code Execution vulnerability in Soflyy Import any XML or CSV File to WordPress plugin <= 3.6.7 at WordPress.
CVE-2022-44584	CRITICAL	9.1	2022-11-18	Unauth. Arbitrary File Deletion vulnerability in WatchTowerHQ plugin <= 3.6.15 on WordPress.
CVE-2025-15484	CRITICAL	9.1	2026-04-01	The Order Notification for WooCommerce WordPress plugin before 3.6.3 overrides WooCommerce's permission checks to grant full access to all unauthenticated requests, enabling comp…
CVE-2021-34620	HIGH	8.8	2021-07-07	The WP Fluent Forms plugin < 3.6.67 for WordPress is vulnerable to Cross-Site Request Forgery leading to stored Cross-Site Scripting and limited Privilege Escalation due to a miss…
CVE-2022-1329	HIGH	8.8	2022-04-19	The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the ~/core/app/modules/onbo…
CVE-2022-4290	HIGH	8.8	2023-10-20	The Cyr to Lat plugin for WordPress is vulnerable to authenticated SQL Injection via the 'ctl_sanitize_title' function in versions up to, and including, 3.5 due to insufficient es…
CVE-2024-1772	HIGH	8.8	2024-03-13	The Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.6.4 via …
CVE-2024-3500	HIGH	8.8	2024-05-02	The ElementsKit Pro plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.6.0 via the Price Menu, Hotspot, and Advanced Toggle widgets…
CVE-2024-4033	HIGH	8.8	2024-05-02	The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the aiovg_create_attachment_from_external_image_ur…
CVE-2024-4670	HIGH	8.8	2024-05-15	The All-in-One Video Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.6.5 via the aiovg_search_form shortcode. This makes…
CVE-2024-12202	HIGH	8.8	2025-01-07	The Croma Music plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'ironMusic_a…
CVE-2025-12529	HIGH	8.8	2025-12-02	The Cost Calculator Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteOrdersFiles() function in all versi…
CVE-2024-4404	HIGH	8.5	2024-06-14	The ElementsKit PRO plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 3.6.2 via the 'render_raw' function. This can allow authent…
CVE-2024-9861	HIGH	8.1	2024-10-17	The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.6.0. This is due to missing validatio…
CVE-2024-13656	HIGH	8.1	2025-02-12	The Click Mag - Viral WordPress News Magazine/Blog Theme theme for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missi…
CVE-2025-7665	HIGH	8.1	2025-09-19	The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the 'handle_mofirebase_form_options' …
CVE-2025-12851	HIGH	8.1	2025-12-05	The My auctions allegro plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.6.32 via the 'controller' parameter. This makes it possi…
CVE-2011-4671	HIGH	7.5	2011-12-02	SQL injection vulnerability in adrotate/adrotate-out.php in the AdRotate plugin 3.6.6, and other versions before 3.6.8, for WordPress allows remote attackers to execute arbitrary …
CVE-2013-4338	HIGH	7.5	2013-09-12	wp-includes/functions.php in WordPress before 3.6.1 does not properly determine whether data has been serialized, which allows remote attackers to execute arbitrary code by trigge…
CVE-2013-4339	HIGH	7.5	2013-09-12	WordPress before 3.6.1 does not properly validate URLs before use in an HTTP redirect, which allows remote attackers to bypass intended redirection restrictions via a crafted stri…
CVE-2021-24906	HIGH	7.5	2022-01-24	The Protect WP Admin WordPress plugin before 3.6.2 does not check for authorisation in the lib/pwa-deactivate.php file, which could allow unauthenticated users to disable the plug…
CVE-2022-44583	HIGH	7.5	2022-11-18	Unauth. Arbitrary File Download vulnerability in WatchTowerHQ plugin <= 3.6.15 on WordPress.
CVE-2024-11728	HIGH	7.5	2024-12-06	The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'visit_type[service_id]' parameter of the tax_calculated_data A…
CVE-2024-12416	HIGH	7.5	2025-01-07	The Live Sales Notification for Woocommerce – Woomotiv plugin for WordPress is vulnerable to SQL Injection via the 'woomotiv_seen_products_.*' cookie in all versions up to, and in…
CVE-2024-13532	HIGH	7.5	2025-02-12	The Small Package Quotes – Purolator Edition plugin for WordPress is vulnerable to SQL Injection via the 'edit_id' and 'dropship_edit_id' parameters in all versions up to, and inc…
CVE-2024-13478	HIGH	7.5	2025-02-19	The LTL Freight Quotes – TForce Edition plugin for WordPress is vulnerable to SQL Injection via the 'dropship_edit_id' and 'edit_id' parameters in all versions up to, and includin…
CVE-2025-2011	HIGH	7.5	2025-05-06	The Slider & Popup Builder by Depicter plugin for WordPress is vulnerable to generic SQL Injection via the ‘s' parameter in all versions up to, and including, 3.6.1 due to insuffi…
CVE-2025-12850	HIGH	7.5	2025-12-05	The My auctions allegro plugin for WordPress is vulnerable to SQL Injection via the ‘auction_id’ parameter in all versions up to, and including, 3.6.32 due to insufficient escapin…
CVE-2026-3489	HIGH	7.5	2026-04-16	The DirectoryPress – Business Directory And Classified Ad Listing plugin for WordPress is vulnerable to SQL Injection via the 'packages' parameter in versions up to, and including…
CVE-2021-24889	HIGH	7.2	2021-11-29	The Ninja Forms Contact Form WordPress plugin before 3.6.4 does not escape keys of the fields POST parameter, which could allow high privilege users to perform SQL injections atta…
CVE-2022-2268	HIGH	7.2	2022-07-04	The Import any XML or CSV File to WordPress plugin before 3.6.8 accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing …
CVE-2022-36375	HIGH	7.2	2022-07-25	Authenticated (high role user) WordPress Options Change vulnerability in Biplob Adhikari's Tabs plugin <= 3.6.0 at WordPress.
CVE-2022-2903	HIGH	7.2	2022-09-26	The Ninja Forms Contact Form WordPress plugin before 3.6.13 unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import (in…
CVE-2022-2711	HIGH	7.2	2022-11-07	The Import any XML or CSV File to WordPress plugin before 3.6.9 is not validating the paths of files contained in uploaded zip archives, allowing highly privileged users, such as …
CVE-2022-3418	HIGH	7.2	2022-11-07	The Import any XML or CSV File to WordPress plugin before 3.6.9 is not properly filtering which file extensions are allowed to be imported on the server, which could allow adminis…
CVE-2024-32694	HIGH	7.1	2024-04-22	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Creative interactive media 3D FlipBook, PDF Viewer, PDF Embedder – Real 3D Fl…
CVE-2026-4100	HIGH	7.1	2026-05-02	The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification and disruption of Stripe webhook configuration in all versions up to, and including, 3.6.5…
CVE-2013-2705	MEDIUM	6.8	2014-05-13	Cross-site request forgery (CSRF) vulnerability in the WordPress Simple Paypal Shopping Cart plugin before 3.6 for WordPress allows remote attackers to hijack the authentication o…
CVE-2024-3710	MEDIUM	6.8	2024-07-13	The Image Photo Gallery Final Tiles Grid WordPress plugin before 3.6.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which…
CVE-2024-11729	MEDIUM	6.5	2024-12-06	The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'service_list[0][service_id]' parameter of the get_widget_payme…
CVE-2024-11730	MEDIUM	6.5	2024-12-06	The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'sort[]' parameter of the static_data_list AJAX action in all v…
CVE-2025-1572	MEDIUM	6.5	2025-02-28	The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the ‘u_id’ parameter in all versions up to, and including, 3.6.7 du…
CVE-2025-4593	MEDIUM	6.5	2025-07-11	The WP Register Profile With Shortcode plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.2 via the 'rp_user_data' shor…
CVE-2025-12000	MEDIUM	6.5	2025-11-08	The WPFunnels plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wpfnl_delete_log() function in all versions up to, and …
CVE-2025-10144	MEDIUM	6.5	2025-11-24	The Perfect Brands for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the `brands` attribute of the `products` shortcode in all versions up to, and…
CVE-2023-2082	MEDIUM	6.4	2023-07-14	The "Buy Me a Coffee – Button and Widget Plugin" plugin for WordPress is vulnerable to Cross-Site Scripting in versions up to, and including, 3.6 due to insufficient sanitization …
CVE-2023-4995	MEDIUM	6.4	2023-10-13	The Embed Calendly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'calendly' shortcode in versions up to, and including, 3.6 due to insufficient input sanit…
CVE-2023-5252	MEDIUM	6.4	2023-10-30	The FareHarbor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 3.6.7 due to insufficient input sanitization and …
CVE-2023-4960	MEDIUM	6.4	2024-01-11	The WCFM Marketplace plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'wcfm_stores' shortcode in versions up to, and including, 3.6.2 due to insufficient inpu…
CVE-2024-1761	MEDIUM	6.4	2024-03-07	The WP Chat App plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widget/block in all versions up to, and including, 3.6.1 due to insufficient inp…
CVE-2024-2513	MEDIUM	6.4	2024-04-09	The WP Chat App plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'imageAlt' block attribute in all versions up to, and including, 3.6.2 due to insufficien…
CVE-2024-2801	MEDIUM	6.4	2024-04-12	The Shopkeeper Extender plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'image_slide' shortcode in all versions up to, and including, 3.6 due to…
CVE-2024-1957	MEDIUM	6.4	2024-04-13	The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'give_form' shortcode in all versions up t…
CVE-2024-3598	MEDIUM	6.4	2024-04-19	The ElementsKit Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Creative Button widget in all versions up to, and including, 3.6.0 due to in…
CVE-2024-4452	MEDIUM	6.4	2024-05-21	The ElementsKit Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in versions up to, and including, 3.6.1 due to insufficient input san…
CVE-2024-5892	MEDIUM	6.4	2024-06-12	The Divi Torque Lite – Divi Theme and Extra Theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘support_unfiltered_files_upload’ function in all versi…
CVE-2024-5263	MEDIUM	6.4	2024-06-15	The ElementsKit Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Motion Text and Table widgets in all versions up to, and including, 3.6.2 du…
CVE-2024-7064	MEDIUM	6.4	2024-08-15	The ElementsKit Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 3.6.5 due to insufficient input …
CVE-2024-10227	MEDIUM	6.4	2024-10-29	The affiliate-toolkit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's atkp_product shortcode in all versions up to, and including, 3.6.5 due to …
CVE-2024-11198	MEDIUM	6.4	2024-11-19	The GD Rating System plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘extra_class’ parameter in all versions up to, and including, 3.6.1 due to insuffici…
CVE-2024-11906	MEDIUM	6.4	2024-12-17	The TPG Get Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tpg_get_posts' shortcode in all versions up to, and including, 3.6.5 due to i…
CVE-2025-0369	MEDIUM	6.4	2025-01-18	The JetEngine plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘list_tag’ parameter in all versions up to, and including, 3.6.2 due to insufficient input …
CVE-2025-0506	MEDIUM	6.4	2025-02-12	The Rise Blocks – A Complete Gutenberg Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the titleTag parameter in all versions up to, and includi…
CVE-2025-1517	MEDIUM	6.4	2025-02-26	The Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) plugin for WordPress is vulnerable to Stor…
CVE-2024-6261	MEDIUM	6.4	2025-02-27	The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'FinalTilesGallery' shortcode in all versions up to, an…
CVE-2025-2906	MEDIUM	6.4	2025-04-01	The Contempo Real Estate Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 3.6.3 due to insufficient input sa…
CVE-2025-3488	MEDIUM	6.4	2025-05-02	The WPML plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpml_language_switcher shortcode in versions 3.6.0 - 4.7.3 due to insufficient input sa…
CVE-2025-10737	MEDIUM	6.4	2025-10-25	The Open Source Genesis Framework theme for WordPress is vulnerable to Stored Cross-Site Scripting via the theme's shortcodes in all versions up to, and including, 3.6.0 due to in…
CVE-2025-12710	MEDIUM	6.4	2025-11-19	The Pet-Manager – Petfinder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the kwm-petfinder shortcode in all versions up to, and including, 3.6.1 due to in…
CVE-2025-13693	MEDIUM	6.4	2025-12-21	The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Custom scripts' setting in all versions up to, and including, 3…
CVE-2026-3333	MEDIUM	6.4	2026-03-21	The MinhNhut Link Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'linkgate' shortcode in all versions up to, and including, 3.6.1 due t…
CVE-2020-10195	MEDIUM	6.3	2020-03-13	The popup-builder plugin before 3.64.1 for WordPress allows information disclosure and settings modification, leading to in-scope privilege escalation via admin-post actions to co…
CVE-2023-2066	MEDIUM	6.3	2023-06-09	The Announcement & Notification Banner – Bulletin plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the 'bul…
CVE-2018-18069	MEDIUM	6.1	2018-10-08	process_forms in the WPML (aka sitepress-multilingual-cms) plugin through 3.6.3 for WordPress has XSS via any locale_file_name_ parameter (such as locale_file_name_en) in an authe…
CVE-2020-10196	MEDIUM	6.1	2020-03-13	An XSS vulnerability in the popup-builder plugin before 3.64.1 for WordPress allows remote attackers to inject arbitrary JavaScript into existing popups via an unsecured ajax acti…
CVE-2020-29172	MEDIUM	6.1	2020-12-26	A cross-site scripting (XSS) vulnerability in the LiteSpeed Cache plugin before 3.6.1 for WordPress can be exploited via the Server IP setting.
CVE-2022-0653	MEDIUM	6.1	2022-02-24	The Profile Builder – User Profile & User Registration Forms WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the site_url p…
CVE-2022-0641	MEDIUM	6.1	2022-03-28	The Popup Like box WordPress plugin before 3.6.1 does not sanitize and escape the ays_fb_tab parameter before outputting it back in an admin page, leading to a Reflected Cross-Sit…
CVE-2023-0334	MEDIUM	6.1	2023-02-27	The ShortPixel Adaptive Images WordPress plugin before 3.6.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scri…
CVE-2023-1835	MEDIUM	6.1	2023-05-15	The Ninja Forms Contact Form WordPress plugin before 3.6.22 does not properly escape user input before outputting it back in an admin page, leading to a Reflected Cross-Site Scrip…
CVE-2024-10675	MEDIUM	6.1	2024-11-21	The affiliate-toolkit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via a URL in all versions up to, and including, 3.6.7 due to insufficient input sanitiza…
CVE-2024-11707	MEDIUM	6.1	2024-12-03	The My auctions allegro plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 3.6.17 due to insuffici…
CVE-2024-13363	MEDIUM	6.1	2025-02-19	The Raptive Ads plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'poc' parameter in all versions up to, and including, 3.6.3 due to insufficient input …
CVE-2025-13137	MEDIUM	6.1	2025-12-06	The Live Sales Notification for Woocommerce – Woomotiv plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'woomotiv_limit' parameter in all versions up t…
CVE-2025-12076	MEDIUM	6.1	2025-12-13	The Social Media Auto Publish plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage parameter in all versions up to, and including, 3.6.5 due to ins…
CVE-2026-3349	MEDIUM	6.1	2026-05-27	The MinhNhut Link Gateway plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'url' parameter on the redirect page in all versions up to, and including, 3…
CVE-2024-30444	MEDIUM	5.9	2024-03-29	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in zionbuilder.Io WordPress Page Builder – Zion Builder allows Stored XSS.This i…
CVE-2023-2168	MEDIUM	5.5	2023-04-19	The TaxoPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Suggest Terms Title field in versions up to, and including, 3.6.4 due to insufficient input…
CVE-2023-2169	MEDIUM	5.5	2023-04-19	The TaxoPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Related Posts functionality in versions up to, and including, 3.6.4 due to insufficient inp…
CVE-2023-2170	MEDIUM	5.5	2023-04-19	The TaxoPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Related Posts functionality in versions up to, and including, 3.6.4 due to insufficient inp…
CVE-2020-14959	MEDIUM	5.4	2020-06-22	Multiple XSS vulnerabilities in the Easy Testimonials plugin before 3.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via the wp-admin/post.php Clien…
CVE-2020-35946	MEDIUM	5.4	2021-01-01	An issue was discovered in the All in One SEO Pack plugin before 3.6.2 for WordPress. The SEO Description and Title fields are vulnerable to unsanitized input from a Contributor, …
CVE-2021-24211	MEDIUM	5.4	2021-04-05	The WordPress Related Posts plugin through 3.6.4 contains an authenticated (admin+) stored XSS vulnerability in the title field on the settings page. By exploiting that an attacke…
CVE-2022-4664	MEDIUM	5.4	2023-02-06	The Logo Slider WordPress plugin before 3.6.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed…
CVE-2022-3194	MEDIUM	5.4	2024-01-16	The Dokan WordPress plugin before 3.6.4 allows vendors to inject arbitrary javascript in product reviews, which may allow them to run stored XSS attacks against other users like s…
CVE-2023-6499	MEDIUM	5.4	2024-02-12	The lasTunes WordPress plugin through 3.6.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in…
CVE-2024-0828	MEDIUM	5.4	2024-03-13	The Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability chec…
CVE-2024-2837	MEDIUM	5.4	2024-04-26	The WP Chat App WordPress plugin before 3.6.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admins to perform Cross-Site Script…
CVE-2024-10584	MEDIUM	5.4	2024-12-24	The DirectoryPress – Business Directory And Classified Ad Listing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and…
CVE-2025-39545	MEDIUM	5.4	2025-04-16	Missing Authorization vulnerability in miniOrange WordPress REST API Authentication wp-rest-api-authentication allows Exploiting Incorrectly Configured Access Control Security Lev…
CVE-2025-12887	MEDIUM	5.4	2025-12-03	The Post SMTP plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.1. This is due to the plugin not properly verifying that a user …
CVE-2025-14455	MEDIUM	5.4	2025-12-19	The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.7. This is due to the plugin not prop…
CVE-2025-69022	MEDIUM	5.4	2025-12-30	Missing Authorization vulnerability in Weblizar - WordPress Themes & Plugin HR Management Lite hr-management-lite allows Exploiting Incorrectly Configured Access Control Security …
CVE-2025-15466	MEDIUM	5.4	2026-01-20	The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on multiple AJAX actio…
CVE-2025-1794	MEDIUM	5.4	2026-04-08	The AM LottiePlayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded SVG files in all versions up to, and including, 3.6.0 due to insufficient input …
CVE-2023-35909	MEDIUM	5.3	2023-12-07	Uncontrolled Resource Consumption vulnerability in Saturday Drive Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress leading to DoS.This issue affects Ninja F…
CVE-2024-0680	MEDIUM	5.3	2024-02-28	The WP Private Content Plus plugin for WordPress is vulnerable to information disclosure in all versions up to, and including, 3.6. This is due to the plugin not properly restrict…
CVE-2024-11292	MEDIUM	5.3	2024-12-06	The WP Private Content Plus plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.1 via the WordPress core search feature.…
CVE-2024-13364	MEDIUM	5.3	2025-02-19	The Raptive Ads plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the site_ads_files_reset() and cls_file_reset() functions in all ver…
CVE-2025-1285	MEDIUM	5.3	2025-03-14	The Resido - Real Estate WordPress Theme theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the delete_api_key and save_api_key AJAX act…
CVE-2025-4390	MEDIUM	5.3	2025-08-12	The WP Private Content Plus plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.2 via the 'validate_restrictions' functi…
CVE-2025-10486	MEDIUM	5.3	2025-10-15	The Content Writer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.8 through publicly exposed log files. This makes …
CVE-2025-12468	MEDIUM	5.3	2025-11-05	The FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up …
CVE-2025-12353	MEDIUM	5.3	2025-11-08	The WPFunnels – The Easiest Funnel Builder For WordPress And WooCommerce To Collect Leads And Increase Sales plugin for WordPress is vulnerable to unauthorized user registration i…
CVE-2025-13950	MEDIUM	5.3	2025-12-15	The OneSignal – Web Push Notifications plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the settings handling functiona…
CVE-2025-14757	MEDIUM	5.3	2026-01-16	The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Payment Status Bypass in all versions up to, and including, 3.6.9 only when used in combination w…
CVE-2026-0927	MEDIUM	5.3	2026-01-23	The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to arbitrary file uploads due to missing authorization checks in the uploadMedicalReport…
CVE-2025-10048	MEDIUM	4.9	2025-10-11	The My auctions allegro plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter in all versions up to, and including, 3.6.31 due to insufficient escaping on …
CVE-2021-24706	MEDIUM	4.8	2021-11-08	The Qwizcards – online quizzes and flashcards WordPress plugin before 3.62 does not properly sanitize and escape some of its settings, allowing high privilege users to perform Cro…
CVE-2021-24714	MEDIUM	4.8	2021-12-06	The Import any XML or CSV File to WordPress plugin before 3.6.3 does not escape the Import's Title and Unique Identifier fields before outputting them in admin pages, which could …
CVE-2022-0884	MEDIUM	4.8	2022-04-04	The Profile Builder WordPress plugin before 3.6.8 does not sanitise and escape Form Fields titles and description, which could allow high privilege user such as admin to perform C…
CVE-2021-36827	MEDIUM	4.8	2022-06-16	Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Saturday Drive's Ninja Forms Contact Form plugin <= 3.6.9 at WordPress via "label".
CVE-2021-25056	MEDIUM	4.8	2022-07-04	The Ninja Forms Contact Form WordPress plugin before 3.6.10 does not sanitise and escape field labels, allowing high privilege users to perform Cross-Site Scripting attacks even w…
CVE-2021-25066	MEDIUM	4.8	2022-07-04	The Ninja Forms Contact Form WordPress plugin before 3.6.10 does not sanitize and escape some imported data, allowing high privilege users to perform Cross-Site Scripting attacks …
CVE-2022-3070	MEDIUM	4.8	2022-09-26	The Generate PDF WordPress plugin before 3.6 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even wh…
CVE-2023-4109	MEDIUM	4.8	2023-08-30	The Ninja Forms WordPress Ninja Forms Contact Form WordPress plugin before 3.6.26 was affected by a HTML Injection security vulnerability.
CVE-2023-5530	MEDIUM	4.8	2023-11-06	The Ninja Forms Contact Form WordPress plugin before 3.6.34 does not sanitize and escape its label fields, which could allow high privilege users such as admin to perform Stored X…
CVE-2024-4664	MEDIUM	4.8	2024-06-27	The WP Chat App WordPress plugin before 3.6.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admins to perform Cross-Site Script…
CVE-2024-7716	MEDIUM	4.8	2024-09-11	The Logo Slider WordPress plugin before 3.6.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site…
CVE-2023-4648	MEDIUM	4.4	2023-10-20	The WP Customer Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 3.6.6 due to insufficient input sani…
CVE-2024-0612	MEDIUM	4.4	2024-02-05	The Content Views – Post Grid, Slider, Accordion (Gutenberg Blocks and Shortcode) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versi…
CVE-2026-3348	MEDIUM	4.4	2026-05-27	The MinhNhut Link Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's settings (Description, Title, and other fields) in all versions up to,…
CVE-2011-3850	MEDIUM	4.3	2011-09-28	Cross-site scripting (XSS) vulnerability in the Atahualpa theme before 3.6.8 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter.
CVE-2011-3862	MEDIUM	4.3	2011-09-28	Cross-site scripting (XSS) vulnerability in the Morning Coffee theme before 3.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to i…
CVE-2013-5738	MEDIUM	4.3	2013-09-12	The get_allowed_mime_types function in wp-includes/functions.php in WordPress before 3.6.1 does not require the unfiltered_html capability for uploads of .htm and .html files, whi…
CVE-2014-4514	MEDIUM	4.3	2014-10-21	Cross-site scripting (XSS) vulnerability in includes/api_tenpay/inc.tenpay_notify.php in the Alipay plugin 3.6.0 and earlier for WordPress allows remote attackers to inject arbitr…
CVE-2022-0199	MEDIUM	4.3	2022-02-21	The Coming soon and Maintenance mode WordPress plugin before 3.6.8 does not have CSRF check in its coming_soon_send_mail AJAX action, allowing attackers to make logged in admin to…
CVE-2020-36749	MEDIUM	4.3	2023-07-01	The Easy Testimonials plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.6.1. This is due to missing or incorrect nonce validatio…
CVE-2021-4397	MEDIUM	4.3	2023-07-01	The Staff Directory Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.6. This is due to missing or incorrect nonce valida…
CVE-2020-36753	MEDIUM	4.3	2023-10-20	The Hueman theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.6.3. This is due to missing or incorrect nonce validation on the sav…
CVE-2023-4686	MEDIUM	4.3	2023-11-22	The WP Customer Reviews plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 3.6.6 via the ajax_enabled_posts function. This can …
CVE-2024-24837	MEDIUM	4.3	2024-02-21	Cross-Site Request Forgery (CSRF) vulnerability in Frédéric GILLES FG PrestaShop to WooCommerce, Frédéric GILLES FG Drupal to WordPress, Frédéric GILLES FG Joomla to WordPress.Thi…
CVE-2024-0827	MEDIUM	4.3	2024-03-13	The Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.…
CVE-2024-1489	MEDIUM	4.3	2024-03-13	The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.9. This is due to missin…
CVE-2024-2326	MEDIUM	4.3	2024-03-23	The Pretty Links – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and inc…
CVE-2023-6257	MEDIUM	4.3	2024-04-11	The Inline Related Posts WordPress plugin before 3.6.0 is missing authorization in an AJAX action to ensure that users are allowed to see the content of the posts displayed, allow…
CVE-2024-7063	MEDIUM	4.3	2024-08-15	The ElementsKit Pro plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.6 via the 'render_raw' function. This can allow …
CVE-2024-10533	MEDIUM	4.3	2024-11-16	The WP Chat App plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the ajax_install_plugin() function in all versions up t…
CVE-2024-11724	MEDIUM	4.3	2024-12-12	The Cookie Consent for WP – Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) plugin for WordPress is vulnerable to unauthorized modification…
CVE-2025-29005	MEDIUM	4.3	2025-06-06	Cross-Site Request Forgery (CSRF) vulnerability in Weblizar - WordPress Themes & Plugin HR Management Lite hr-management-lite allows Cross Site Request Forgery.This issue affects …
CVE-2025-12469	MEDIUM	4.3	2025-11-05	The FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and i…
CVE-2025-14783	MEDIUM	4.3	2025-12-31	The Easy Digital Downloads plugin for WordPress is vulnerable to Unvalidated Redirect in all versions up to, and including, 3.6.2. This is due to insufficient validation on the re…
CVE-2026-1857	MEDIUM	4.3	2026-02-18	The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.6.1. This is due to insufficie…
CVE-2026-2633	MEDIUM	4.3	2026-02-18	The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.6.1. This is due to a missing capabi…
CVE-2026-2826	MEDIUM	4.3	2026-04-04	The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.3. This is due …
CVE-2026-7533	MEDIUM	4.3	2026-05-28	The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.7. This is due to missing nonce verification …
CVE-2021-36915	MEDIUM	4.2	2022-10-11	Cross-Site Request Forgery (CSRF) vulnerability in Cozmoslabs Profile Builder plugin <= 3.6.0 at WordPress allows uploading the JSON file and updating the options. Requires Import…
CVE-2013-4340	LOW	3.5	2013-09-12	wp-admin/includes/post.php in WordPress before 3.6.1 allows remote authenticated users to spoof the authorship of a post by leveraging the Author role and providing a modified use…
CVE-2013-5739	LOW	3.5	2013-09-12	The default configuration of WordPress before 3.6.1 does not prevent uploads of .swf and .exe files, which might make it easier for remote authenticated users to conduct cross-sit…

          Full Report Available
        

All 167 CVEs with AI explanations + fix guide

Plain English · Fix recommendations · Instant PDF & HTML download

⬇ Get Full Report

          PDF + HTML · Instant download
        

Is your website running Wordpress 3.6?

Scan your site in 30 seconds. Used by 500+ web agencies.

Scan my website — free 📋 See all 34 affected sites

How to Check If Your Website Is Affected

1 Log into your WordPress admin dashboard and click 'Settings' then 'General' to view your current WordPress version number at the bottom of the page
2 Alternatively, view your site's source code by pressing Ctrl+U in your browser, searching for 'wp-content/themes' to confirm you're using WordPress
3 Check your hosting control panel (cPanel, Plesk, etc.) where your WordPress installation details are often displayed with version information

How to Fix These Vulnerabilities

1 Backup your entire website immediately using your hosting provider's backup tool or a WordPress backup plugin—this is critical before making any changes
2 Update WordPress to the latest stable version by navigating to Dashboard > Updates and clicking 'Update Now', or contact your host for assisted upgrade if you lack technical access
3 After updating, test all critical functionality including user logins, contact forms, payment processing, and content display to ensure nothing broke during migration
4 Update all plugins and themes to their latest versions, as older plugins compatible with WordPress 3.6 often contain their own critical vulnerabilities

Conclusion

WordPress 3.6 represents an unacceptable security risk in today's threat landscape. With 11 critical vulnerabilities actively being exploited, your website could be compromised within hours of going live on the internet. The cost of recovery from a breach—including data theft, malware removal, reputation damage, and potential legal liability—far exceeds the minimal effort required to upgrade to a modern WordPress version.

Don't gamble with your website's security. Use SiteRecipe.com's comprehensive vulnerability scanner to identify all security weaknesses in your WordPress installation, create an upgrade roadmap tailored to your specific setup, and implement fixes with step-by-step guidance. Our platform makes WordPress security management effortless, giving you peace of mind that your site is protected against current and emerging threats. Start your free security audit today at SiteRecipe.com and join thousands of website owners who've eliminated their vulnerability risk.

Frequently Asked Questions

What happens if I don't update from WordPress 3.6?

Your website becomes increasingly vulnerable to automated attacks that exploit the 167 known vulnerabilities, particularly the 11 critical flaws. Attackers can inject malware, steal customer data, redirect visitors to malicious sites, or completely take over your site's administration. Insurance and compliance requirements (PCI-DSS, HIPAA, GDPR) often mandate current software versions, so you may face legal liability if a breach occurs on an outdated platform.

Will updating to a newer WordPress version break my site?

Most modern WordPress updates are backward-compatible and won't break properly-coded sites. However, very old custom code or discontinued plugins may have issues. This is exactly why backing up before updating is essential. SiteRecipe.com helps you identify compatibility problems before you update, allowing you to plan changes and avoid unexpected downtime.

Can I stay on WordPress 3.6 if I add extra security measures?

No. While security plugins provide some protection, they cannot patch the core WordPress vulnerabilities in version 3.6. Security layers are intended to supplement, not replace, current software updates. Upgrading to a supported version is the only reliable way to eliminate these critical flaws permanently.

How long does it take to update from WordPress 3.6?

The WordPress core update typically takes 5-15 minutes. However, testing and updating plugins/themes may add 30 minutes to several hours depending on your site complexity. Many hosting providers offer managed WordPress updates if you prefer professional assistance, ensuring minimal disruption to your site.

What's the difference between the 11 critical and 34 high-severity vulnerabilities?

Critical vulnerabilities (like SQL injection and privilege escalation) allow attackers to take complete control of your site with minimal effort. High-severity vulnerabilities typically require more steps to exploit but still pose serious risks. Both require immediate patching—this isn't a 'fix these first' situation; updating WordPress addresses all vulnerability tiers simultaneously.

Generate white-label reports for your clients

Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.

Free scan Agency plans 📋 34 affected sites

DISCLAIMER: This report is based on publicly available CVE data from the National Vulnerability Database (NVD) maintained by NIST. Detection of a technology version does not confirm active exploitation on any specific website. For informational purposes only. SiteRecipe is not responsible for actions taken based on this report. Always consult a qualified security professional.

Source: nvd.nist.gov · Published: June 07, 2026 · SiteRecipe.com