WordPress 3.9.1 is an outdated version that poses serious security risks to your website. Security researchers have identified 32 vulnerabilities in this version, including 2 critical flaws that could give hackers complete control of your site. If you're still running WordPress 3.9.1, your website is vulnerable to SQL injection attacks, authentication bypass exploits, and unauthorized file uploads that could compromise your data and your visitors' information.
This comprehensive guide will help you understand the risks associated with WordPress 3.9.1, show you how to check if your site is affected, and provide step-by-step instructions to secure your website. Whether you're a business owner or website administrator, protecting your WordPress installation should be your top priority.
WordPress 3.9.1 is an older version of the popular WordPress content management system (CMS) released in 2014. While it was once a stable and widely-used version, WordPress 3.9.1 has since been superseded by newer, more secure versions. The WordPress ecosystem has evolved significantly since then, with major improvements in security protocols, performance optimization, and user experience. Today, WordPress 3.9.1 is considered legacy software and should no longer be used for active websites.
Approximately 45 websites worldwide are still running WordPress 3.9.1, many likely due to outdated plugins, custom code incompatibilities, or lack of awareness about security risks. Running an old WordPress version is like leaving your front door unlocked—it exposes your website to attackers who actively exploit known vulnerabilities. These vulnerabilities can lead to data breaches, malware infections, website defacement, and loss of customer trust.
32 CVEs found. The most critical are explained below.
The All in One WP Security plugin has a serious flaw that lets hackers directly access your website's database where all your sensitive information is stored. This happens through something called SQL injection, which is like leaving a backdoor open to your most valuable files.
Impact: Hackers could steal your customer data, user passwords, email addresses, and any private information stored in your database. They could also modify or delete your website content.
↗ View on NVDThe MStore API plugin doesn't properly verify who is making requests to it, meaning someone without a real account can pretend to be a customer. This is like having a store where the cashier doesn't check if someone actually has an account before processing their order.
Impact: Attackers could access customer accounts without passwords, view private information, make purchases without authorization, or manipulate shopping carts and orders.
↗ View on NVDThe uContext Amazon plugin is missing basic security checks that prevent attackers from tricking your website into performing unauthorized actions. Someone could craft a malicious link that, when clicked by you or your visitors, executes harmful code.
Impact: Attackers could inject malicious code into your website, steal information from your site visitors, or manipulate your website's functionality without your knowledge.
↗ View on NVDThe uContext Clickbank plugin lacks security verification, allowing attackers to trick your website into running malicious commands. This is the same type of vulnerability as CVE-2022-2541 but in a different plugin.
Impact: Attackers could inject harmful code into your website, compromise visitor data, or alter how your Clickbank integration functions.
↗ View on NVDThe Auto Featured Image plugin doesn't properly check what types of files users can upload. An attacker with author access could upload malicious files like executable programs disguised as images.
Impact: Someone with author privileges could upload and run malicious code on your server, potentially taking over your entire website or using it to attack other sites.
↗ View on NVDThe Code Snippets plugin has a vulnerability that lets attackers inject and execute their own code through shortcodes. This is like leaving a way for someone to insert harmful instructions directly into your website.
Impact: Attackers could run any code they want on your server, potentially stealing data, modifying your site, or using your website as a launching point for attacks on others.
↗ View on NVDShowing first 10 of 26. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2022-0236 | HIGH | 7.5 | 2022-01-18 | The WP Import Export WordPress plugin (both free and premium versions) is vulnerable to unauthenticated sensitive data disclosure due to a missing capability check on the download… |
| CVE-2025-0817 | HIGH | 7.2 | 2025-02-18 | The FormCraft plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.9.11 due to insufficient input sanitiz… |
| CVE-2024-6490 | MEDIUM | 6.5 | 2024-07-26 | During testing of the Master Slider WordPress plugin through 3.9.10, a CSRF vulnerability was found, which allows an unauthorized user to manipulate requests on behalf of the vic… |
| CVE-2023-2406 | MEDIUM | 6.4 | 2023-06-03 | The Event Registration Calendar By vcita plugin, versions up to and including 3.9.1, and Online Payments – Get Paid with PayPal, Square & Stripe plugin, for WordPress are vulnerab… |
| CVE-2024-1449 | MEDIUM | 6.4 | 2024-03-02 | The Master Slider – Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ms_slide shortcode in all versions up to, and includ… |
| CVE-2024-2128 | MEDIUM | 6.4 | 2024-03-07 | The EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to Sto… |
| CVE-2024-1802 | MEDIUM | 6.4 | 2024-03-07 | The EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to Sto… |
| CVE-2024-2468 | MEDIUM | 6.4 | 2024-03-23 | The EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to Sto… |
| CVE-2024-3245 | MEDIUM | 6.4 | 2024-04-06 | The EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to Sto… |
| CVE-2024-3244 | MEDIUM | 6.4 | 2024-04-09 | The EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to Sto… |
| CVE-2024-4316 | MEDIUM | 6.4 | 2024-05-14 | The EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to Sto… |
| CVE-2024-4043 | MEDIUM | 6.4 | 2024-05-23 | The WP Ultimate Post Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpupg-text' shortcode in all versions up to, and including, 3.9.1 due… |
| CVE-2024-1565 | MEDIUM | 6.4 | 2024-06-13 | The EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to Stored Cross-Si… |
| CVE-2024-4375 | MEDIUM | 6.4 | 2024-06-18 | The Master Slider – Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ms_layer' shortcode in all versions up to, and incl… |
| CVE-2025-8780 | MEDIUM | 6.4 | 2025-12-13 | The Livemesh SiteOrigin Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Hero Header and Pricing Table widgets in all versions up to, and… |
| CVE-2025-12448 | MEDIUM | 6.4 | 2026-02-19 | The Smartsupp – live chat, AI shopping assistant and chatbots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'code' parameter in all versions up to, and… |
| CVE-2026-4852 | MEDIUM | 6.4 | 2026-04-20 | The Image Source Control Lite – Show Image Credits and Captions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Image Source' attachment field in all ve… |
| CVE-2023-6632 | MEDIUM | 6.1 | 2024-01-11 | The Happy Addons for Elementor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via DOM in all versions up to and including 3.9.1.1 (versions up to 2.9.1.1 in … |
| CVE-2021-24694 | MEDIUM | 5.4 | 2022-01-24 | The Simple Download Monitor WordPress plugin before 3.9.11 could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attack via 1) "color" or "css… |
| CVE-2023-2031 | MEDIUM | 5.4 | 2023-06-09 | The Locatoraid Store Locator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in versions up to, and including, 3.9.14 due to insuff… |
| CVE-2023-6326 | MEDIUM | 5.4 | 2024-03-02 | The Master Slider – Responsive Touch Slider plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.9.10. This is due to missing o… |
| CVE-2024-2688 | MEDIUM | 5.4 | 2024-03-23 | The EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to Sto… |
| CVE-2024-1803 | MEDIUM | 4.3 | 2024-05-23 | The EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to una… |
| CVE-2024-43117 | MEDIUM | 4.3 | 2024-08-26 | Cross-Site Request Forgery (CSRF) vulnerability in WPMU DEV - Your All-in-One WordPress Platform Hummingbird hummingbird-performance.This issue affects Hummingbird: from n/a throu… |
| CVE-2024-43118 | MEDIUM | 4.3 | 2024-11-01 | Missing Authorization vulnerability in WPMU DEV - Your All-in-One WordPress Platform Hummingbird hummingbird-performance.This issue affects Hummingbird: from n/a through <= 3.9.1. |
| CVE-2024-13783 | MEDIUM | 4.3 | 2025-02-18 | The FormCraft plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check in formcraft-main.php in all versions up to, and including, 3.9.1… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 3.9.1 is no longer safe for any production website. With 32 known vulnerabilities—including 2 critical flaws affecting SQL injection and authentication—staying on this version puts your business at significant risk. Hackers actively scan for and exploit these known weaknesses, making your website an easy target. The good news is that updating WordPress is straightforward and can be completed in minutes with proper preparation.
Don't leave your website vulnerable to attacks. Use SiteRecipe.com's advanced security scanning tools to identify all vulnerabilities on your WordPress site, get personalized recommendations for fixes, and monitor your site's security in real-time. Our platform helps thousands of website owners stay protected against evolving threats. Visit SiteRecipe.com today to perform a free security scan and take the first step toward a more secure WordPress installation.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.