WordPress 3.9.3 is an older version that contains 32 documented security vulnerabilities, including one critical flaw that puts your website at serious risk. If you're still running this version, your site could be exposed to unauthorized access, data theft, and malware infections. This comprehensive guide will help you understand these vulnerabilities and take immediate action to protect your WordPress installation.
Our security research team identified that 7 websites are still using WordPress 3.9.3, making them prime targets for cyber attacks. The vulnerabilities range from privilege escalation attacks to arbitrary file uploads and stored cross-site scripting flaws. Whether you're a site owner or administrator, understanding these risks is the first step toward securing your digital property.
WordPress 3.9.3 is a legacy version of WordPress, the world's most popular website platform, released over a decade ago. It powered millions of websites during its time but has since been superseded by newer, more secure versions. If your website is still running WordPress 3.9.3, it means you haven't updated to a current version, leaving your site vulnerable to modern cyber threats that developers have since patched in newer releases.
Think of WordPress versions like car models: just as older car models lack modern safety features, older WordPress versions lack modern security protections. WordPress 3.9.3 was never designed to defend against today's sophisticated hacking techniques. Running an outdated version is like leaving your front door unlocked in a neighborhood with rising crime rates—it's not a matter of if attackers will find vulnerabilities, but when.
32 CVEs found. The most critical are explained below.
The JSON API User plugin has a serious flaw that allows anyone on the internet to create an administrator account on your WordPress site without any password or permission. This happens because the plugin doesn't properly check who is allowed to create user accounts.
Impact: A hacker could take complete control of your website, steal all your data, change your content, or shut down your site entirely.
↗ View on NVDIf someone with editor or author access uploads a file with a specially crafted name to your Media library, that file could run malicious code when viewed. This requires someone with upload permissions to either be a trusted person acting maliciously or to have their account compromised.
Impact: Your website could be infected with malware, steal visitor data, or spread attacks to your users' computers.
↗ View on NVDThe GD Mail Queue plugin doesn't properly clean email messages before displaying them. This means someone could insert malicious code into emails that gets displayed on your website when viewed by visitors or administrators.
Impact: Visitors clicking links or scripts in the emails could have their accounts compromised or their computers infected with malware.
↗ View on NVDThe Import XML/CSV/Excel plugin doesn't check what type of file you're importing, which means a hacker with admin access could upload executable files disguised as data imports. This is mainly a risk if you have untrustworthy admins.
Impact: Malicious files could be uploaded to your server and executed, giving attackers full control of your website.
↗ View on NVDWordPress versions before 3.9.3 have a flaw in how they verify passwords using old encryption methods. Attackers can exploit this weakness to guess or bypass passwords, particularly for accounts that haven't been used since 2008.
Impact: Hackers could gain unauthorized access to old admin accounts or other user accounts on your site.
↗ View on NVDUsers with author or editor permissions can inject JavaScript code into media attachment pages in a way that looks innocent. When site administrators view these pages, the malicious code runs with administrator-level privileges.
Impact: A compromised author account could be used to steal admin credentials or take control of your entire site.
↗ View on NVDShowing first 10 of 26. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2025-8977 | MEDIUM | 6.5 | 2025-08-28 | The Simple Download Monitor plugin for WordPress is vulnerable to time-based SQL Injection via the order parameter in all versions up to, and including, 3.9.33 due to insufficient… |
| CVE-2025-13679 | MEDIUM | 6.5 | 2026-01-08 | The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_order_by_id() f… |
| CVE-2014-9038 | MEDIUM | 6.4 | 2014-11-25 | wp-includes/http.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to conduct server-side request forgery (SSRF) … |
| CVE-2020-11030 | MEDIUM | 6.4 | 2020-04-30 | In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authent… |
| CVE-2024-2287 | MEDIUM | 6.4 | 2024-04-09 | The Knight Lab Timeline plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 3.9.3.3 due to insuff… |
| CVE-2024-9051 | MEDIUM | 6.4 | 2024-10-11 | The WP Ultimate Post Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpupg-grid-with-filters shortcode in all versions up to, and including… |
| CVE-2020-11027 | MEDIUM | 6.1 | 2020-04-30 | In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password. Access would be needed to the email account of the user… |
| CVE-2021-24932 | MEDIUM | 6.1 | 2021-12-13 | The Auto Featured Image (Auto Post Thumbnail) WordPress plugin before 3.9.3 does not sanitise and escape the post_id parameter before outputting back in an admin page within a JS … |
| CVE-2020-11025 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires … |
| CVE-2020-11028 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been pat… |
| CVE-2020-11029 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been… |
| CVE-2020-4048 | MEDIUM | 5.7 | 2020-06-12 | In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect wh… |
| CVE-2020-4046 | MEDIUM | 5.4 | 2020-06-12 | In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor… |
| CVE-2021-24127 | MEDIUM | 5.4 | 2021-03-18 | Unvalidated input and lack of output encoding in the ThirstyAffiliates Affiliate Link Manager WordPress plugin, versions before 3.9.3, was vulnerable to authenticated Stored Cross… |
| CVE-2022-4577 | MEDIUM | 5.4 | 2023-02-06 | The Easy Testimonials WordPress plugin before 3.9.3 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users … |
| CVE-2025-14067 | MEDIUM | 5.3 | 2026-02-14 | The Easy Form Builder plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple AJAX actions in all versions up to, and inclu… |
| CVE-2014-9034 | MEDIUM | 5.0 | 2014-11-25 | wp-includes/class-phpass.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to cause a denial of service (CPU cons… |
| CVE-2014-9031 | MEDIUM | 4.3 | 2014-11-25 | Cross-site scripting (XSS) vulnerability in the wptexturize function in WordPress before 3.7.5, 3.8.x before 3.8.5, and 3.9.x before 3.9.3 allows remote attackers to inject arbitr… |
| CVE-2014-9032 | MEDIUM | 4.3 | 2014-11-25 | Cross-site scripting (XSS) vulnerability in the media-playlists feature in WordPress before 3.9.x before 3.9.3 and 4.x before 4.0.1 allows remote attackers to inject arbitrary web… |
| CVE-2014-9035 | MEDIUM | 4.3 | 2014-11-25 | Cross-site scripting (XSS) vulnerability in Press This in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to inject ar… |
| CVE-2014-9036 | MEDIUM | 4.3 | 2014-11-25 | Cross-site scripting (XSS) vulnerability in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to inject arbitrary web sc… |
| CVE-2014-9039 | MEDIUM | 4.3 | 2014-11-25 | wp-login.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to reset passwords by leveraging access to an e-m… |
| CVE-2025-13628 | MEDIUM | 4.3 | 2026-01-09 | The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability check on the … |
| CVE-2025-13934 | MEDIUM | 4.3 | 2026-01-09 | The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course enrollment in all versions up to, and including, 3.9.3. This is due … |
| CVE-2020-4050 | LOW | 3.5 | 2020-06-12 | In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plu… |
| CVE-2020-4049 | LOW | 2.4 | 2020-06-12 | In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes p… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
Running WordPress 3.9.3 exposes your website to serious security risks that hackers actively exploit. The 32 vulnerabilities we've identified—especially the critical privilege escalation flaw—could allow attackers to take control of your site, steal customer data, or inject malware. Updating to a current WordPress version isn't optional; it's essential for protecting your business, your visitors, and your reputation.
Don't wait for a security breach to force your hand. Use SiteRecipe.com's comprehensive security scanner to identify all vulnerabilities on your WordPress site today. Our platform provides step-by-step guidance for fixing security issues and keeps you protected with continuous monitoring. Visit SiteRecipe.com now to run a free security audit and take control of your WordPress security.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.