WordPress 3.9.2, released in 2014, is an outdated version still running on approximately 29 websites worldwide. Despite its age, this version contains 24 known security vulnerabilities—including one critical flaw that could expose your website to severe attacks. If your site is running this legacy version, you're at significant risk of unauthorized access, data breaches, and malware infections.
The most alarming threat is CVE-2023-2732, a critical authentication bypass vulnerability in the MStore API plugin that allows attackers to bypass security checks entirely. Combined with multiple high-severity file upload vulnerabilities and CSRF protection weaknesses, WordPress 3.9.2 represents a serious security liability. This comprehensive guide will help you understand these threats and take immediate action to protect your website.
WordPress 3.9.2 is an ancient version of the world's most popular content management system, released over a decade ago in June 2014. At that time, it was considered modern and secure, but technology and threats have evolved dramatically. Today, running WordPress 3.9.2 is like driving a car from 2014 without any of the modern safety features—it simply cannot protect you against current threats. WordPress 3.9.2 lacks all the security improvements, bug fixes, and feature enhancements that have been implemented in newer versions.
This outdated version was designed for a different internet landscape where attack methods were less sophisticated and security standards were lower. Modern websites face complex threats including advanced malware, automated bot attacks, and targeted exploitation of known vulnerabilities. WordPress 3.9.2 has no defenses against these contemporary threats because its codebase predates them. Running such an old version is not just risky—it's actively dangerous for your business, your users' data, and your website's reputation.
24 CVEs found. The most critical are explained below.
The MStore API plugin has a security flaw that allows someone to bypass the login requirement. An attacker doesn't need valid credentials to perform certain actions through the plugin's API.
Impact: Unauthorized attackers could add listings, modify content, or access sensitive data without having a legitimate account on your website.
↗ View on NVDWordPress 3.9.x has a flaw in how it handles widget data that could allow an attacker to inject harmful code. The vulnerability exists in the core WordPress widget system.
Impact: An attacker could execute malicious code on your website, potentially taking control of your site, stealing data, or compromising visitor information.
↗ View on NVDThe WP Import Export Lite plugin doesn't properly check file types during uploads. This means someone could upload dangerous files disguised as legitimate ones.
Impact: A user with even basic access could upload malicious files (like viruses or backdoors) that could compromise your entire website.
↗ View on NVDAnother file upload flaw in the WP Import Export Lite plugin's template import function allows unsafe files to be uploaded without proper validation.
Impact: Attackers with subscriber-level access could upload harmful files, potentially installing backdoors or taking control of your website.
↗ View on NVDWordPress 3.9.2 has a timing flaw in how it validates security tokens (nonces). An attacker can guess valid tokens more easily by analyzing response times.
Impact: An attacker could bypass WordPress's CSRF protection and trick logged-in users into performing unwanted actions on the site.
↗ View on NVDWordPress 3.9.2 creates security tokens without proper separators, making them easier to guess through repeated attempts.
Impact: Attackers could bypass CSRF protection mechanisms and manipulate user actions without proper authorization.
↗ View on NVDShowing first 10 of 18. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2014-9033 | MEDIUM | 6.8 | 2014-11-25 | Cross-site request forgery (CSRF) vulnerability in wp-login.php in WordPress 3.7.4, 3.8.4, 3.9.2, and 4.0 allows remote attackers to hijack the authentication of arbitrary users f… |
| CVE-2022-4384 | MEDIUM | 6.5 | 2023-02-06 | The Stream WordPress plugin before 3.9.2 does not prevent users with little privileges on the site (like subscribers) from using its alert creation functionality, which may enable… |
| CVE-2025-2839 | MEDIUM | 6.4 | 2025-04-22 | The WP Import Export Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wpiePreviewData’ function in all versions up to, and including, 3.9.27 due to … |
| CVE-2025-5541 | MEDIUM | 6.4 | 2025-06-06 | The Runners Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'runnerslog' shortcode in all versions up to, and including, 3.9.2 due to insuff… |
| CVE-2026-2029 | MEDIUM | 6.4 | 2026-02-26 | The Livemesh Addons for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[labb_pricing_item]` shortcode's `title` and `value` attributes i… |
| CVE-2026-3896 | MEDIUM | 6.4 | 2026-05-27 | The Livemesh SiteOrigin Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `lsow_admin_ajax` AJAX action in all versions up to, and including, 3.9.2… |
| CVE-2026-3897 | MEDIUM | 6.4 | 2026-05-27 | The Livemesh Addons for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `labb_admin_ajax` AJAX action in all versions up to, and including… |
| CVE-2023-4476 | MEDIUM | 6.1 | 2023-09-25 | The Locatoraid Store Locator WordPress plugin before 3.9.24 does not sanitise and escape the lpr-search parameter before outputting it back in the page, leading to a Reflected Cro… |
| CVE-2023-5749 | MEDIUM | 6.1 | 2023-12-11 | The EmbedPress WordPress plugin before 3.9.2 does not sanitise and escape user input before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could… |
| CVE-2023-5750 | MEDIUM | 6.1 | 2023-12-11 | The EmbedPress WordPress plugin before 3.9.2 does not sanitise and escape a parameter before outputting it back in the page containing a specific content, leading to a Reflected C… |
| CVE-2024-11687 | MEDIUM | 6.1 | 2024-12-06 | The Next-Cart Store to WooCommerce Migration plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 3.… |
| CVE-2025-4369 | MEDIUM | 5.5 | 2025-07-15 | The Companion Auto Update plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘update_delay_days’ parameter in all versions up to, and including, 3.9.2 due t… |
| CVE-2021-24678 | MEDIUM | 5.4 | 2021-10-04 | The CM Tooltip Glossary WordPress plugin before 3.9.21 does not escape some glossary_tooltip shortcode attributes, which could allow users a role as low as Contributor to perform … |
| CVE-2014-5265 | MEDIUM | 5.0 | 2014-08-18 | The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, permits entity declarations without considering recursion duri… |
| CVE-2014-5266 | MEDIUM | 5.0 | 2014-08-18 | The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, whic… |
| CVE-2015-1204 | MEDIUM | 4.3 | 2015-01-21 | Cross-site scripting (XSS) vulnerability in the Save Filters functionality in the WP Slimstat plugin before 3.9.2 for WordPress allows remote attackers to inject arbitrary web scr… |
| CVE-2025-13935 | MEDIUM | 4.3 | 2026-01-09 | The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course completion in all versions up to, and including, 3.9.2. This is due … |
| CVE-2014-5240 | LOW | 2.1 | 2014-08-18 | Cross-site scripting (XSS) vulnerability in wp-includes/pluggable.php in WordPress before 3.9.2, when Multisite is enabled, allows remote authenticated administrators to inject ar… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 3.9.2 is no longer just outdated—it's dangerously exposed with 24 known vulnerabilities waiting to be exploited. The critical authentication bypass in the MStore API plugin and multiple high-severity file upload flaws create multiple pathways for attackers to compromise your website. Delaying an update puts your business data, customer information, and reputation at serious risk. Every day your site runs on this vulnerable version increases the likelihood of a successful attack.
Don't let your WordPress installation become a liability. Use SiteRecipe.com to scan your website for vulnerabilities, monitor your WordPress version in real-time, and receive automated alerts when security updates are available. Our platform makes it simple to identify outdated software before it becomes a problem, and we provide clear guidance on updating safely. Visit SiteRecipe.com today to secure your WordPress site and protect what matters most to your business.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.