WordPress 3.6.1, released over a decade ago, is still running on approximately 67 websites worldwide. However, security researchers have identified a staggering 35 vulnerabilities in this version, including 3 critical-level flaws that pose immediate threats to site security. These vulnerabilities range from SQL injection attacks to unauthorized file deletion, making this outdated version a prime target for cybercriminals.
If your website is still using WordPress 3.6.1, you're operating with significantly outdated security protections. Modern attackers actively exploit known vulnerabilities in older versions, and leaving your site unpatched is like leaving your front door unlocked. This guide will help you understand the risks, identify if you're vulnerable, and take immediate action to protect your website and user data.
WordPress 3.6.1 is an ancient version of the WordPress content management system, originally released in 2013. At that time, it was considered secure and feature-rich for managing websites and blogs. However, over the past decade, security researchers have continuously discovered new vulnerabilities in this version that were previously unknown. These flaws have never been patched because WordPress 3.6.1 is no longer supported by the development team.
Think of WordPress 3.6.1 like an old car model from 2013—it might still run, but it lacks modern safety features and security systems that newer models have. Hackers know exactly which vulnerabilities exist in this version and actively target websites still using it. Running WordPress 3.6.1 in 2024 is extremely dangerous and puts your entire website at risk of being compromised, hacked, or used to spread malware.
35 CVEs found. The most critical are explained below.
The Pricing Table plugin has a security hole that lets attackers send malicious data directly to your website's database without logging in. This happens because the plugin doesn't properly check or clean the information before using it in database commands.
Impact: Attackers could steal sensitive data from your website, modify pricing information, or corrupt your database without needing a password.
↗ View on NVDThe education theme can be tricked into running dangerous code because it doesn't properly validate information it receives. An attacker can craft special data that, when processed, allows them to execute harmful commands on your site.
Impact: Hackers could gain control of your website, install malware, steal data, or use your site to attack other websites.
↗ View on NVDThe WatchTowerHQ plugin allows attackers to delete any files from your website without logging in. The plugin doesn't verify that the person requesting the deletion actually has permission to do so.
Impact: Your website could be partially or completely destroyed by deleting critical files needed to run WordPress.
↗ View on NVDWordPress has a flaw in how it processes saved data. An attacker can exploit this to run unauthorized code by sending specially crafted information that tricks WordPress into executing malicious commands.
Impact: Your entire website could be compromised, allowing attackers to steal information, modify content, or take full control of your site.
↗ View on NVDWordPress doesn't properly check where it's sending users when they click certain links. An attacker can craft a link that appears legitimate but secretly redirects visitors to a malicious website.
Impact: Your visitors could be tricked into visiting phishing sites or malware pages, damaging your reputation and exposing them to attacks.
↗ View on NVDThe WatchTowerHQ plugin allows anyone to download files from your website without logging in. The plugin doesn't check permissions, so sensitive files can be accessed by anyone who knows how to ask for them.
Impact: Confidential information like customer data, financial records, or configuration files could be stolen and exposed publicly.
↗ View on NVDShowing first 10 of 29. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2024-12416 | HIGH | 7.5 | 2025-01-07 | The Live Sales Notification for Woocommerce – Woomotiv plugin for WordPress is vulnerable to SQL Injection via the 'woomotiv_seen_products_.*' cookie in all versions up to, and in… |
| CVE-2025-2011 | HIGH | 7.5 | 2025-05-06 | The Slider & Popup Builder by Depicter plugin for WordPress is vulnerable to generic SQL Injection via the ‘s' parameter in all versions up to, and including, 3.6.1 due to insuffi… |
| CVE-2022-2903 | HIGH | 7.2 | 2022-09-26 | The Ninja Forms Contact Form WordPress plugin before 3.6.13 unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import (in… |
| CVE-2024-1761 | MEDIUM | 6.4 | 2024-03-07 | The WP Chat App plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widget/block in all versions up to, and including, 3.6.1 due to insufficient inp… |
| CVE-2024-1957 | MEDIUM | 6.4 | 2024-04-13 | The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'give_form' shortcode in all versions up t… |
| CVE-2024-4452 | MEDIUM | 6.4 | 2024-05-21 | The ElementsKit Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in versions up to, and including, 3.6.1 due to insufficient input san… |
| CVE-2024-11198 | MEDIUM | 6.4 | 2024-11-19 | The GD Rating System plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘extra_class’ parameter in all versions up to, and including, 3.6.1 due to insuffici… |
| CVE-2025-12710 | MEDIUM | 6.4 | 2025-11-19 | The Pet-Manager – Petfinder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the kwm-petfinder shortcode in all versions up to, and including, 3.6.1 due to in… |
| CVE-2026-3333 | MEDIUM | 6.4 | 2026-03-21 | The MinhNhut Link Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'linkgate' shortcode in all versions up to, and including, 3.6.1 due t… |
| CVE-2020-29172 | MEDIUM | 6.1 | 2020-12-26 | A cross-site scripting (XSS) vulnerability in the LiteSpeed Cache plugin before 3.6.1 for WordPress can be exploited via the Server IP setting. |
| CVE-2022-0653 | MEDIUM | 6.1 | 2022-02-24 | The Profile Builder – User Profile & User Registration Forms WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the site_url p… |
| CVE-2022-0641 | MEDIUM | 6.1 | 2022-03-28 | The Popup Like box WordPress plugin before 3.6.1 does not sanitize and escape the ays_fb_tab parameter before outputting it back in an admin page, leading to a Reflected Cross-Sit… |
| CVE-2024-11707 | MEDIUM | 6.1 | 2024-12-03 | The My auctions allegro plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 3.6.17 due to insuffici… |
| CVE-2026-3349 | MEDIUM | 6.1 | 2026-05-27 | The MinhNhut Link Gateway plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'url' parameter on the redirect page in all versions up to, and including, 3… |
| CVE-2023-6499 | MEDIUM | 5.4 | 2024-02-12 | The lasTunes WordPress plugin through 3.6.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in… |
| CVE-2024-10584 | MEDIUM | 5.4 | 2024-12-24 | The DirectoryPress – Business Directory And Classified Ad Listing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and… |
| CVE-2025-12887 | MEDIUM | 5.4 | 2025-12-03 | The Post SMTP plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.1. This is due to the plugin not properly verifying that a user … |
| CVE-2024-11292 | MEDIUM | 5.3 | 2024-12-06 | The WP Private Content Plus plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.1 via the WordPress core search feature.… |
| CVE-2025-13950 | MEDIUM | 5.3 | 2025-12-15 | The OneSignal – Web Push Notifications plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the settings handling functiona… |
| CVE-2026-0927 | MEDIUM | 5.3 | 2026-01-23 | The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to arbitrary file uploads due to missing authorization checks in the uploadMedicalReport… |
| CVE-2021-25056 | MEDIUM | 4.8 | 2022-07-04 | The Ninja Forms Contact Form WordPress plugin before 3.6.10 does not sanitise and escape field labels, allowing high privilege users to perform Cross-Site Scripting attacks even w… |
| CVE-2021-25066 | MEDIUM | 4.8 | 2022-07-04 | The Ninja Forms Contact Form WordPress plugin before 3.6.10 does not sanitize and escape some imported data, allowing high privilege users to perform Cross-Site Scripting attacks … |
| CVE-2026-3348 | MEDIUM | 4.4 | 2026-05-27 | The MinhNhut Link Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's settings (Description, Title, and other fields) in all versions up to,… |
| CVE-2013-5738 | MEDIUM | 4.3 | 2013-09-12 | The get_allowed_mime_types function in wp-includes/functions.php in WordPress before 3.6.1 does not require the unfiltered_html capability for uploads of .htm and .html files, whi… |
| CVE-2020-36749 | MEDIUM | 4.3 | 2023-07-01 | The Easy Testimonials plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.6.1. This is due to missing or incorrect nonce validatio… |
| CVE-2026-1857 | MEDIUM | 4.3 | 2026-02-18 | The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.6.1. This is due to insufficie… |
| CVE-2026-2633 | MEDIUM | 4.3 | 2026-02-18 | The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.6.1. This is due to a missing capabi… |
| CVE-2013-4340 | LOW | 3.5 | 2013-09-12 | wp-admin/includes/post.php in WordPress before 3.6.1 allows remote authenticated users to spoof the authorship of a post by leveraging the Author role and providing a modified use… |
| CVE-2013-5739 | LOW | 3.5 | 2013-09-12 | The default configuration of WordPress before 3.6.1 does not prevent uploads of .swf and .exe files, which might make it easier for remote authenticated users to conduct cross-sit… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 3.6.1 is no longer safe for any production website. With 35 known vulnerabilities—including 3 critical flaws that allow unauthorized access, file deletion, and code execution—staying on this version is an unacceptable security risk. The good news is that updating WordPress is straightforward and takes just minutes, yet provides exponential improvements to your site's security posture.
Don't let your website become another statistic in the cybercrime reports. Use SiteRecipe.com to scan your site for vulnerabilities, identify outdated software, and receive actionable recommendations for securing your WordPress installation. Our platform provides continuous monitoring and alerts, ensuring your site stays protected against emerging threats. Visit SiteRecipe.com today for a free security audit and take control of your website's safety.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.