WordPress 4.0 is an outdated version running on approximately 50 websites worldwide, but it carries significant security risks that could compromise your data and visitors' safety. With 235 documented vulnerabilities—including 12 critical-level flaws—this older version is a prime target for hackers seeking unpatched entry points into websites. If your site still runs WordPress 4.0, understanding these risks and taking immediate action is essential for protecting your digital assets.
The vulnerabilities range from Remote Code Execution (RCE) attacks that allow attackers to take complete control of your site, to SQL injection exploits that expose your entire database. Several critical vulnerabilities exist in popular plugins commonly used with this WordPress version, including the Widget Options plugin and authentication solutions. This comprehensive guide will help you identify whether your site is vulnerable and provide actionable steps to secure it.
WordPress 4.0 is an older major release of WordPress, the content management system powering over 40% of all websites on the internet. Released in 2014, WordPress 4.0 introduced significant improvements to the editing experience and overall platform stability at that time. However, like all software, WordPress receives regular security updates to patch newly discovered vulnerabilities—and version 4.0 stopped receiving official security support years ago.
When WordPress versions reach end-of-life, they no longer receive security patches or updates from Automattic (the company behind WordPress). This means any vulnerabilities discovered after support ends remain unfixed on those versions. Website owners running WordPress 4.0 are essentially operating with a ticking time bomb: every new vulnerability discovered in the core software or popular plugins becomes a permanent weakness on their site. This is why cybersecurity experts universally recommend upgrading to the latest stable WordPress version as quickly as possible.
235 CVEs found. The most critical are explained below.
The Widget Options plugin has a serious flaw that lets attackers insert harmful code into your website. This happens through the display logic feature that works with page builders. If you're using this plugin version 4.0.7 or older, hackers can take complete control of your site.
Impact: An attacker could steal your data, modify your website content, create fake admin accounts, or use your site to attack visitors. Your website could go offline or be used to spread malware.
↗ View on NVDThe Quick Chat plugin before version 4.00 has a database vulnerability. Attackers can write malicious code that tricks the database into revealing or deleting sensitive information stored in your WordPress site.
Impact: Hackers could access customer data, passwords, emails, and other confidential information from your database. They could also delete or corrupt your website's data.
↗ View on NVDThe All-in-One WP Security & Firewall plugin before version 4.0.9 has multiple database security flaws. Despite being a security tool, it actually opens the door for attackers to access your database directly.
Impact: Your website's entire database could be exposed, including user accounts, passwords, and all stored information. Attackers could modify or delete critical data.
↗ View on NVDThe All-in-One WP Security & Firewall plugin before version 4.0.7 contains multiple flaws that compromise database security. Ironically, this security plugin creates vulnerabilities rather than preventing them.
Impact: Your database containing all website and customer data becomes accessible to attackers. They can steal, modify, or destroy your information.
↗ View on NVDThe Formidable plugin before version 4.02.01 improperly handles serialized data (a way of storing information). Attackers can exploit this by injecting malicious code that gets executed when the plugin processes this data.
Impact: Hackers can execute arbitrary code on your server, potentially taking full control of your website and accessing all data stored within it.
↗ View on NVDThe Login by Auth0 plugin before version 4.0.0 doesn't properly check or clean user data before exporting it. This means attackers can inject malicious code through fields that export user information.
Impact: Sensitive user data could be stolen or exposed. Attackers could also inject code that affects all users accessing your login system or their exported data.
↗ View on NVDShowing first 10 of 229. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2022-0836 | CRITICAL | 9.8 | 2022-05-09 | The SEMA API WordPress plugin before 4.02 does not properly sanitise and escape some parameters before using them in SQL statements via an AJAX action, leading to SQL Injections e… |
| CVE-2022-4047 | CRITICAL | 9.8 | 2022-12-26 | The Return Refund and Exchange For WooCommerce WordPress plugin before 4.0.9 does not validate attachment files to be uploaded via an AJAX action available to unauthenticated user… |
| CVE-2023-3197 | CRITICAL | 9.8 | 2023-06-24 | The MStore API plugin for WordPress is vulnerable to Unauthenticated Blind SQL Injection via the 'id' parameter in versions up to, and including, 4.0.1 due to insufficient escapin… |
| CVE-2016-15042 | CRITICAL | 9.8 | 2024-10-16 | The Frontend File Manager (versions < 4.0), N-Media Post Front-end Form (versions < 1.1) plugins for WordPress are vulnerable to arbitrary file uploads due to missing file type va… |
| CVE-2025-6441 | CRITICAL | 9.8 | 2025-07-24 | The Webinar Solution: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition plugin for WordPress is vulnerable to unauthenticated login token … |
| CVE-2021-24884 | CRITICAL | 9.6 | 2021-10-25 | The Formidable Form Builder WordPress plugin before 4.09.05 allows to inject certain HTML Tags like <audio>,<video>,<img>,<a> and<button>.This could allow an unauthenticated, remo… |
| CVE-2020-5391 | HIGH | 8.8 | 2020-04-01 | Cross-site request forgery (CSRF) vulnerabilities exist in the Auth0 plugin before 4.0.0 for WordPress via the domain field. |
| CVE-2020-7948 | HIGH | 8.8 | 2020-04-01 | An issue was discovered in the Login by Auth0 plugin before 4.0.0 for WordPress. A user can perform an insecure direct object reference. |
| CVE-2020-13641 | HIGH | 8.8 | 2020-05-28 | An issue was discovered in the Real-Time Find and Replace plugin before 4.0.2 for WordPress. The far_options_page function did not do any nonce verification, allowing for requests… |
| CVE-2021-24160 | HIGH | 8.8 | 2021-04-05 | In the Reponsive Menu (free and Pro) WordPress plugins before 4.0.4, subscribers could upload zip archives containing malicious PHP files that would get extracted to the /rmp-menu… |
| CVE-2021-24161 | HIGH | 8.8 | 2021-04-05 | In the Reponsive Menu (free and Pro) WordPress plugins before 4.0.4, attackers could craft a request and trick an administrator into uploading a zip archive containing malicious P… |
| CVE-2021-24162 | HIGH | 8.8 | 2021-04-05 | In the Reponsive Menu (free and Pro) WordPress plugins before 4.0.4, attackers could craft a request and trick an administrator into importing all new settings. These settings cou… |
| CVE-2021-34632 | HIGH | 8.8 | 2021-08-02 | The SEO Backlinks WordPress plugin is vulnerable to Cross-Site Request Forgery via the loc_config function found in the ~/seo-backlinks.php file which allows attackers to inject a… |
| CVE-2021-34634 | HIGH | 8.8 | 2021-08-05 | The Nifty Newsletters WordPress plugin is vulnerable to Cross-Site Request Forgery via the sola_nl_wp_head function found in the ~/sola-newsletters.php file which allows attackers… |
| CVE-2021-25082 | HIGH | 8.8 | 2022-02-21 | The Popup Builder WordPress plugin before 4.0.7 does not validate and sanitise the sgpb_type parameter before using it in a require statement, leading to a Local File Inclusion is… |
| CVE-2022-1672 | HIGH | 8.8 | 2022-07-17 | The Insights from Google PageSpeed WordPress plugin before 4.0.7 does not verify for CSRF before doing various actions such as deleting Custom URLs, which could allow attackers to… |
| CVE-2023-0255 | HIGH | 8.8 | 2023-02-13 | The Enable Media Replace WordPress plugin before 4.0.2 does not prevent authors from uploading arbitrary files to the site, which may allow them to upload PHP shells on affected s… |
| CVE-2023-0340 | HIGH | 8.8 | 2023-03-20 | The Custom Content Shortcode WordPress plugin through 4.0.2 does not validate one of its shortcode attribute, which could allow users with a contributor role and above to include … |
| CVE-2023-2237 | HIGH | 8.8 | 2023-06-09 | The WP Replicate Post plugin for WordPress is vulnerable to SQL Injection via the post_id parameter in versions up to, and including, 4.0.2 due to insufficient escaping on the use… |
| CVE-2024-2115 | HIGH | 8.8 | 2024-04-05 | The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.0.0. This is due to missing or incor… |
| CVE-2024-3474 | HIGH | 8.8 | 2024-05-02 | The Wow Skype Buttons WordPress plugin before 4.0.4 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, … |
| CVE-2024-7423 | HIGH | 8.8 | 2024-09-13 | The Stream plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.0.1. This is due to missing or incorrect nonce validation on th… |
| CVE-2024-7149 | HIGH | 8.8 | 2024-09-27 | The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.8 via mul… |
| CVE-2024-10590 | HIGH | 8.8 | 2024-12-12 | The Opt-In Downloads plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the admin_upload() function in all versions up to, and inc… |
| CVE-2025-1770 | HIGH | 8.8 | 2025-03-20 | The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.24 via th… |
| CVE-2025-2525 | HIGH | 8.8 | 2025-04-08 | The Streamit theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'st_Authentication_Controller::edit_profile' function in all ve… |
| CVE-2025-2526 | HIGH | 8.8 | 2025-04-08 | The Streamit theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.2. This is due to the plugin not properly val… |
| CVE-2025-4796 | HIGH | 8.8 | 2025-08-08 | The Eventin plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.34. This is due to the plugin not properly va… |
| CVE-2025-5931 | HIGH | 8.8 | 2025-08-26 | The Dokan Pro plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.5. This is due to the plugin not properly v… |
| CVE-2025-11923 | HIGH | 8.8 | 2025-11-13 | The LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes plugin for WordPress is vulnerable to privilege escalation. This is due to the plugin not properly validating a use… |
| CVE-2026-1463 | HIGH | 8.8 | 2026-03-18 | The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.3 via the 't… |
| CVE-2026-1829 | HIGH | 8.8 | 2026-06-02 | The Content Visibility for Divi Builder plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.02 via the 'et_pb_text' shortcode 'cvdb… |
| CVE-2020-11026 | HIGH | 8.7 | 2020-04-30 | In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an au… |
| CVE-2023-5504 | HIGH | 8.7 | 2024-01-11 | The BackWPup plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.0.1 via the Log File Folder. This allows authenticated attackers to stor… |
| CVE-2026-9284 | HIGH | 8.2 | 2026-05-23 | The WooCommerce PayPal Payments plugin for WordPress is vulnerable to unauthorized order manipulation and information disclosure due to missing authorization checks on the `ppc-cr… |
| CVE-2024-13744 | HIGH | 8.1 | 2025-04-04 | The Booster for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the validate_product_input_fields_on_add_to_cart fu… |
| CVE-2023-52134 | HIGH | 7.6 | 2023-12-31 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Eyal Fitoussi GEO my WordPress.This issue affects GEO my WordPress: from n/a … |
| CVE-2014-7228 | HIGH | 7.5 | 2014-11-03 | Akeeba Restore (restore.php), as used in Joomla! 2.5.4 through 2.5.25, 3.x through 3.2.5, and 3.3.0 through 3.3.4; Akeeba Backup for Joomla! Professional 3.0.0 through 4.0.2; Back… |
| CVE-2022-3907 | HIGH | 7.5 | 2022-12-05 | The Clerk WordPress plugin before 4.0.0 is affected by time-based attacks in the validation function for all API requests due to the usage of comparison operators to verify API ke… |
| CVE-2023-7164 | HIGH | 7.5 | 2024-04-08 | The BackWPup WordPress plugin before 4.0.4 does not prevent Directory Listing in its temporary backup folder, allowing unauthenticated attackers to download backups of a site's da… |
| CVE-2025-3419 | HIGH | 7.5 | 2025-05-08 | The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 4.0.26 via the… |
| CVE-2025-52731 | HIGH | 7.5 | 2025-08-14 | Missing Authorization vulnerability in themefunction WordPress Event Manager, Event Calendar and Booking Plugin eventin-pro allows Exploiting Incorrectly Configured Access Control… |
| CVE-2026-2413 | HIGH | 7.5 | 2026-03-11 | The Ally – Web Accessibility & Usability plugin for WordPress is vulnerable to SQL Injection via the URL path in all versions up to, and including, 4.0.3. This is due to insuffici… |
| CVE-2026-3496 | HIGH | 7.5 | 2026-03-11 | The JetBooking plugin for WordPress is vulnerable to SQL Injection via the 'check_in_date' parameter in all versions up to, and including, 4.0.3. This is due to insufficient escap… |
| CVE-2026-7649 | HIGH | 7.5 | 2026-05-02 | The ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orde… |
| CVE-2020-36716 | HIGH | 7.3 | 2023-06-07 | The WP Activity Log plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the setup_page function in versions up to, and including, 4.0.1… |
| CVE-2022-0228 | HIGH | 7.2 | 2022-02-21 | The Popup Builder WordPress plugin before 4.0.7 does not validate and properly escape the orderby and order parameters before using them in a SQL statement in the admin dashboard,… |
| CVE-2024-12024 | HIGH | 7.2 | 2024-12-17 | The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the em_ticket_category_data and em_ticket_individual_d… |
| CVE-2024-13704 | HIGH | 7.2 | 2025-02-18 | The Super Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'st_user_title' parameter in all versions up to, and including, 4.0.1 due to insuf… |
| CVE-2024-13708 | HIGH | 7.2 | 2025-04-04 | The Booster for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in versions 4.0.1 to 7.2.4 due to insufficient input sanitizatio… |
| CVE-2025-7813 | HIGH | 7.2 | 2025-08-23 | The Events Calendar, Event Booking, Registrations and Event Tickets – Eventin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and includin… |
| CVE-2025-14436 | HIGH | 7.2 | 2026-01-08 | The Brevo for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘user_connection_id’ parameter in all versions up to, and including, 4.0.49 due… |
| CVE-2025-14657 | HIGH | 7.2 | 2026-01-09 | The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability c… |
| CVE-2024-32549 | HIGH | 7.1 | 2024-04-17 | Cross-Site Request Forgery (CSRF) vulnerability in Microkid Related Posts for WordPress allows Cross-Site Scripting (XSS).This issue affects Related Posts for WordPress: from n/a … |
| CVE-2024-13863 | HIGH | 7.1 | 2025-03-25 | The Stylish Google Sheet Reader 4.0 WordPress plugin before 4.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site … |
| CVE-2025-68887 | HIGH | 7.1 | 2026-01-08 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CMSJunkie - WordPress Business Directory Plugins WP-BusinessDirectory wp-busi… |
| CVE-2014-9033 | MEDIUM | 6.8 | 2014-11-25 | Cross-site request forgery (CSRF) vulnerability in wp-login.php in WordPress 3.7.4, 3.8.4, 3.9.2, and 4.0 allows remote attackers to hijack the authentication of arbitrary users f… |
| CVE-2014-9037 | MEDIUM | 6.8 | 2014-11-25 | WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to obtain access to an account idle since 2008 by leveraging an i… |
| CVE-2015-2755 | MEDIUM | 6.8 | 2015-04-01 | Multiple cross-site request forgery (CSRF) vulnerabilities in the AB Google Map Travel (AB-MAP) plugin before 4.0 for WordPress allow remote attackers to hijack the authentication… |
| CVE-2020-4047 | MEDIUM | 6.8 | 2020-06-12 | In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way.… |
| CVE-2023-5505 | MEDIUM | 6.8 | 2024-08-17 | The BackWPup plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.0.1 via the job-specific backup folder. This allows authenticated attack… |
| CVE-2021-39351 | MEDIUM | 6.5 | 2021-10-06 | The WP Bannerize WordPress plugin is vulnerable to authenticated SQL injection via the id parameter found in the ~/Classes/wpBannerizeAdmin.php file which allows attackers to exfi… |
| CVE-2021-24872 | MEDIUM | 6.5 | 2021-12-13 | The Get Custom Field Values WordPress plugin before 4.0 allows users with a role as low as Contributor to access other posts metadata without validating the permissions. Eg. contr… |
| CVE-2022-1788 | MEDIUM | 6.5 | 2022-06-13 | Due to missing checks the Change Uploaded File Permissions WordPress plugin through 4.0.0 is vulnerable to CSRF attacks. This can be used to change the file and folder permissions… |
| CVE-2023-3011 | MEDIUM | 6.5 | 2023-07-12 | The ARMember plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.0.5. This is due to missing or incorrect nonce validation on the … |
| CVE-2024-34801 | MEDIUM | 6.5 | 2024-06-03 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mervin Praison Praison SEO WordPress seo-wordpress allows DOM-Based XSS.This … |
| CVE-2024-13746 | MEDIUM | 6.5 | 2025-03-01 | The Booking Calendar and Notification plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to missing capability checks on the wpcb_all_bo… |
| CVE-2025-2519 | MEDIUM | 6.5 | 2025-04-08 | The Sreamit theme for WordPress is vulnerable to arbitrary file downloads in all versions up to, and including, 4.0.1. This is due to insufficient file validation in the 'st_send_… |
| CVE-2025-52730 | MEDIUM | 6.5 | 2025-08-14 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themefunction WordPress Event Manager, Event Calendar and Booking Plugin even… |
| CVE-2025-58850 | MEDIUM | 6.5 | 2025-09-05 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in marcshowpass Showpass WordPress Extension showpass allows Stored XSS.This iss… |
| CVE-2025-10730 | MEDIUM | 6.5 | 2025-10-15 | The Wp tabber widget plugin for WordPress is vulnerable to SQL Injection via the 'wp-tabber-widget' shortcode in all versions up to, and including, 4.0 due to insufficient escapin… |
| CVE-2025-13880 | MEDIUM | 6.5 | 2025-12-17 | The WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) plugin for WordPress is vulnerable to unauthorized a… |
| CVE-2026-0572 | MEDIUM | 6.5 | 2026-02-04 | The WebPurify Profanity Filter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'webpurify_save_options' function i… |
| CVE-2014-9038 | MEDIUM | 6.4 | 2014-11-25 | wp-includes/http.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to conduct server-side request forgery (SSRF) … |
| CVE-2020-11030 | MEDIUM | 6.4 | 2020-04-30 | In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authent… |
| CVE-2023-5467 | MEDIUM | 6.4 | 2023-10-10 | The GEO my WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 4.0 due to insufficient input sanitization … |
| CVE-2024-1328 | MEDIUM | 6.4 | 2024-03-12 | The Newsletter2Go plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘style’ parameter in all versions up to, and including, 4.0.14 due to insufficient inpu… |
| CVE-2024-2304 | MEDIUM | 6.4 | 2024-03-20 | The Animated Headline plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'animated-headline' shortcode in all versions up to, and including, 4.0 du… |
| CVE-2024-4014 | MEDIUM | 6.4 | 2024-04-20 | The hCaptcha for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cf7-hcaptcha shortcode in all versions up to, and including, 4.0.0 du… |
| CVE-2024-5571 | MEDIUM | 6.4 | 2024-06-05 | The EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to Sto… |
| CVE-2024-4705 | MEDIUM | 6.4 | 2024-06-06 | The Testimonials Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's testimonials shortcode in all versions up to, and including, 4.0.4 due t… |
| CVE-2024-5224 | MEDIUM | 6.4 | 2024-06-06 | The Easy Social Like Box – Popup – Sidebar Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'cardoza_facebook_like_box' shortcode in all v… |
| CVE-2024-7703 | MEDIUM | 6.4 | 2024-08-17 | The ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File upl… |
| CVE-2024-8959 | MEDIUM | 6.4 | 2024-10-24 | The WP Adminify – Custom WordPress Dashboard, Login and Admin Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up … |
| CVE-2024-12499 | MEDIUM | 6.4 | 2025-01-07 | The WP jQuery DataTable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp_jdt' shortcode in all versions up to, and including, 4.0.1 due to in… |
| CVE-2024-10894 | MEDIUM | 6.4 | 2025-04-10 | The Payment Forms for Paystack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes like 'datepicker', 'textarea', and 'text' in all versi… |
| CVE-2025-5539 | MEDIUM | 6.4 | 2025-06-04 | The Simple Contact Form Plugin for WordPress – WP Easy Contact plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'emd_mb_meta' shortcode in all ve… |
| CVE-2025-5684 | MEDIUM | 6.4 | 2025-07-29 | The MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `mf-template` DOM Element i… |
| CVE-2025-8315 | MEDIUM | 6.4 | 2025-08-05 | The WP Easy Contact plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘noaccess_msg’ parameter in all versions up to, and including, 4.0.1 due to insuffici… |
| CVE-2025-10128 | MEDIUM | 6.4 | 2025-09-30 | The Eulerpool Research Systems plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'aaq' shortcode in all versions up to, and including, 4.0.1 due t… |
| CVE-2025-11129 | MEDIUM | 6.4 | 2025-11-11 | The Include Fussball.de Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'api' and 'type' parameters in all versions up to, and including, 4.0.0 d… |
| CVE-2025-13739 | MEDIUM | 6.4 | 2025-12-05 | The CryptX plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `cryptx` shortcode in all versions up to, and including, 4.0.5 due to insufficient in… |
| CVE-2025-14893 | MEDIUM | 6.4 | 2026-01-09 | The IndieWeb plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Telephone' parameter in all versions up to, and including, 4.0.5 due to insufficient input … |
| CVE-2026-2383 | MEDIUM | 6.4 | 2026-02-27 | The Simple Download Monitor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field in all versions up to, and including, 4.0.5 due to insufficient inpu… |
| CVE-2026-6127 | MEDIUM | 6.4 | 2026-05-01 | The Elementor Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _elementor_data meta field in versions up to, and including, 4.0.4. This is… |
| CVE-2026-7509 | MEDIUM | 6.4 | 2026-05-22 | The KIA Subtitle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `the-subtitle` shortcode `before` and `after` attributes in all versions up to,… |
| CVE-2024-10681 | MEDIUM | 6.3 | 2024-12-06 | The The ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin for WordPress is vulnerable to arbitrary shortcode execution in all ver… |
| CVE-2016-10705 | MEDIUM | 6.1 | 2018-01-12 | The Jetpack plugin before 4.0.4 for WordPress has XSS via the Likes module. |
| CVE-2016-10706 | MEDIUM | 6.1 | 2018-01-12 | The Jetpack plugin before 4.0.3 for WordPress has XSS via a crafted Vimeo link. |
| CVE-2018-17074 | MEDIUM | 6.1 | 2018-09-16 | The Feed Statistics plugin before 4.0 for WordPress has an Open Redirect via the feed-stats-url parameter. |
| CVE-2016-10868 | MEDIUM | 6.1 | 2019-08-13 | The all-in-one-wp-security-and-firewall plugin before 4.0.5 for WordPress has XSS in the blacklist, file system, and file change detection settings pages. |
| CVE-2016-10869 | MEDIUM | 6.1 | 2019-08-13 | The contact-form-plugin plugin before 4.0.2 for WordPress has XSS. |
| CVE-2016-10871 | MEDIUM | 6.1 | 2019-08-13 | The mailchimp-for-wp plugin before 4.0.11 for WordPress has XSS on the integration settings page. |
| CVE-2017-18491 | MEDIUM | 6.1 | 2019-08-13 | The contact-form-plugin plugin before 4.0.6 for WordPress has multiple XSS issues. |
| CVE-2016-10867 | MEDIUM | 6.1 | 2019-08-13 | The all-in-one-wp-security-and-firewall plugin before 4.0.6 for WordPress has XSS in settings pages. |
| CVE-2017-18608 | MEDIUM | 6.1 | 2019-09-10 | The spotim-comments plugin before 4.0.4 for WordPress has multiple XSS issues. |
| CVE-2015-9539 | MEDIUM | 6.1 | 2019-11-26 | The Fast Secure Contact Form plugin before 4.0.38 for WordPress allows fs_contact_form1[welcome] XSS. |
| CVE-2019-19133 | MEDIUM | 6.1 | 2019-12-04 | The CSS Hero plugin through 4.0.3 for WordPress is prone to reflected XSS via the URI in a csshero_action=edit_page request because it fails to sufficiently sanitize user-supplied… |
| CVE-2020-5392 | MEDIUM | 6.1 | 2020-04-01 | A stored cross-site scripting (XSS) vulnerability exists in the Auth0 plugin before 4.0.0 for WordPress via the settings page. |
| CVE-2020-6753 | MEDIUM | 6.1 | 2020-04-01 | The Login by Auth0 plugin before 4.0.0 for WordPress allows stored XSS on multiple pages, a different issue than CVE-2020-5392. |
| CVE-2020-11027 | MEDIUM | 6.1 | 2020-04-30 | In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password. Access would be needed to the email account of the user… |
| CVE-2021-24294 | MEDIUM | 6.1 | 2021-05-24 | The dsgvoaio_write_log AJAX action of the DSGVO All in one for WP WordPress plugin before 4.0 did not sanitise or escape some POST parameter submitted before outputting them in th… |
| CVE-2021-24335 | MEDIUM | 6.1 | 2021-06-01 | The Car Repair Services & Auto Mechanic WordPress theme before 4.0 did not properly sanitise its serviceestimatekey search parameter before outputting it back in the page, leading… |
| CVE-2021-24657 | MEDIUM | 6.1 | 2021-09-20 | The Limit Login Attempts WordPress plugin before 4.0.50 does not escape the IP addresses (which can be controlled by attacker via headers such as X-Forwarded-For) of attempted log… |
| CVE-2021-25074 | MEDIUM | 6.1 | 2022-01-24 | The WebP Converter for Media WordPress plugin before 4.0.3 contains a file (passthru.php) which does not validate the src parameter before redirecting the user to it, leading to a… |
| CVE-2022-0431 | MEDIUM | 6.1 | 2022-04-04 | The Insights from Google PageSpeed WordPress plugin before 4.0.4 does not sanitise and escape various parameters before outputting them back in attributes in the plugin's settings… |
| CVE-2022-2241 | MEDIUM | 6.1 | 2022-08-01 | The Featured Image from URL (FIFU) WordPress plugin before 4.0.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admi… |
| CVE-2023-1596 | MEDIUM | 6.1 | 2023-05-15 | The tagDiv Composer WordPress plugin before 4.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which c… |
| CVE-2023-2362 | MEDIUM | 6.1 | 2023-06-12 | The Float menu WordPress plugin before 5.0.2, Bubble Menu WordPress plugin before 3.0.4, Button Generator WordPress plugin before 2.3.5, Calculator Builder WordPress plugin before… |
| CVE-2023-3139 | MEDIUM | 6.1 | 2023-07-04 | The Protect WP Admin WordPress plugin before 4.0 discloses the URL of the admin panel via a redirection of a crafted URL, bypassing the protection offered. |
| CVE-2024-4133 | MEDIUM | 6.1 | 2024-05-02 | The ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin for WordPress is vulnerable to Open Redirect in all versions up to, and inc… |
| CVE-2024-9375 | MEDIUM | 6.1 | 2024-10-04 | The WordPress Captcha Plugin by Captcha Bank plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on t… |
| CVE-2024-9864 | MEDIUM | 6.1 | 2024-10-24 | The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via ticket names in all versions up to, and including, 4.0… |
| CVE-2024-9865 | MEDIUM | 6.1 | 2024-10-24 | The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ep_booking_attendee_fields’ fields in all version… |
| CVE-2024-9609 | MEDIUM | 6.1 | 2024-11-15 | The LearnPress Export Import – WordPress extension for LearnPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'learnpress_import_form_server' para… |
| CVE-2024-11374 | MEDIUM | 6.1 | 2024-12-07 | The TWChat – Send or receive messages from users plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escapi… |
| CVE-2025-1511 | MEDIUM | 6.1 | 2025-02-28 | The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' parame… |
| CVE-2024-13853 | MEDIUM | 6.1 | 2025-03-11 | The SEO Tools WordPress plugin through 4.0.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which coul… |
| CVE-2026-2830 | MEDIUM | 6.1 | 2026-03-06 | The WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘filepath’ parameter in all… |
| CVE-2024-4096 | MEDIUM | 5.9 | 2024-07-30 | The Responsive Tabs WordPress plugin through 4.0.8 does not sanitise and escape some of its Tab settings, which could allow high privilege users such as Contributors and above to … |
| CVE-2020-11025 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires … |
| CVE-2020-11028 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been pat… |
| CVE-2020-11029 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been… |
| CVE-2020-4048 | MEDIUM | 5.7 | 2020-06-12 | In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect wh… |
| CVE-2024-13879 | MEDIUM | 5.5 | 2025-02-17 | The Stream plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.0.2 due to insufficient validation on the webhook feature. Thi… |
| CVE-2018-9034 | MEDIUM | 5.4 | 2018-04-04 | Cross-site scripting (XSS) vulnerability in lib/interface.php of the Relevanssi plugin 4.0.4 for WordPress allows remote attackers to inject arbitrary JavaScript or HTML via the t… |
| CVE-2018-0577 | MEDIUM | 5.4 | 2018-05-14 | Cross-site scripting vulnerability in WP Google Map Plugin prior to version 4.0.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vect… |
| CVE-2020-4046 | MEDIUM | 5.4 | 2020-06-12 | In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor… |
| CVE-2021-24136 | MEDIUM | 5.4 | 2021-03-18 | Unvalidated input and lack of output encoding in the Testimonials Widget WordPress plugin, versions before 4.0.0, lead to multiple Cross-Site Scripting vulnerabilities, allowing r… |
| CVE-2021-24918 | MEDIUM | 5.4 | 2021-11-29 | The Smash Balloon Social Post Feed WordPress plugin before 4.0.1 did not have any privilege or nonce validation before saving the plugin's setting. As a result, any logged-in user… |
| CVE-2021-24871 | MEDIUM | 5.4 | 2021-12-13 | The Get Custom Field Values WordPress plugin before 4.0.1 does not escape custom fields before outputting them in the page, which could allow users with a role as low as contribut… |
| CVE-2021-24826 | MEDIUM | 5.4 | 2022-03-07 | The Custom Content Shortcode WordPress plugin before 4.0.2 does not escape custom fields before outputting them, which could allow Contributor+ (v < 4.0.1) or Admin+ (v < 4.0.2) u… |
| CVE-2022-4005 | MEDIUM | 5.4 | 2022-12-12 | The Donation Button WordPress plugin through 4.0.0 does not sanitize and escapes some parameters, which could allow users with a role as low as Contributor to perform Cross-Site S… |
| CVE-2022-4578 | MEDIUM | 5.4 | 2023-01-16 | The Video Conferencing with Zoom WordPress plugin before 4.0.10 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could … |
| CVE-2022-4458 | MEDIUM | 5.4 | 2023-02-13 | The amr shortcode any widget WordPress plugin through 4.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow … |
| CVE-2022-4714 | MEDIUM | 5.4 | 2023-02-21 | The WP Dark Mode WordPress plugin before 4.0.0 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform S… |
| CVE-2023-0069 | MEDIUM | 5.4 | 2023-03-06 | The WPaudio MP3 Player WordPress plugin through 4.0.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode … |
| CVE-2023-0273 | MEDIUM | 5.4 | 2023-03-20 | The Custom Content Shortcode WordPress plugin through 4.0.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shor… |
| CVE-2019-25143 | MEDIUM | 5.4 | 2023-06-07 | The GDPR Cookie Compliance plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the gdpr_cookie_compliance_reset_settings AJAX action in… |
| CVE-2024-1846 | MEDIUM | 5.4 | 2024-04-15 | The Responsive Tabs WordPress plugin before 4.0.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is e… |
| CVE-2024-3239 | MEDIUM | 5.4 | 2024-05-14 | The Post Grid Gutenberg Blocks and WordPress Blog Plugin WordPress plugin before 4.0.2 does not validate and escape some of its block options before outputting them back in a pag… |
| CVE-2024-3288 | MEDIUM | 5.4 | 2024-06-07 | The Logo Slider WordPress plugin before 4.0.0 does not validate and escape some of its Slider Settings before outputting them back in attributes, which could allow users with the… |
| CVE-2024-7621 | MEDIUM | 5.4 | 2024-08-12 | The Visual Website Collaboration, Feedback & Project Management – Atarim plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check … |
| CVE-2024-7424 | MEDIUM | 5.4 | 2024-11-01 | The Multiple Page Generator Plugin – MPG plugin for WordPress is vulnerable to unauthorized modification of and access to data due to a missing capability check on several functio… |
| CVE-2024-10705 | MEDIUM | 5.4 | 2025-01-26 | The Multiple Page Generator Plugin – MPG plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.0.5 via the 'mpg_download_file_b… |
| CVE-2025-12524 | MEDIUM | 5.4 | 2025-11-18 | The Post Type Switcher plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.0.0 due to missing validation on a user controlle… |
| CVE-2022-0188 | MEDIUM | 5.3 | 2022-02-14 | The CMP WordPress plugin before 4.0.19 allows any user, even not logged in, to arbitrarily change the coming soon page layout. |
| CVE-2024-1109 | MEDIUM | 5.3 | 2024-02-07 | The Podlove Podcast Publisher plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the init_download() and init() functions in al… |
| CVE-2024-1110 | MEDIUM | 5.3 | 2024-02-07 | The Podlove Podcast Publisher plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the init() function in all versions up t… |
| CVE-2024-0975 | MEDIUM | 5.3 | 2024-02-28 | The WordPress Access Control plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.13 via the REST API. This makes it pos… |
| CVE-2024-1492 | MEDIUM | 5.3 | 2024-02-29 | The WPify Woo Czech plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the maybe_send_to_packeta function in all versions up to… |
| CVE-2024-8369 | MEDIUM | 5.3 | 2024-09-10 | The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access to Private or Password-protected events due to missing authorizati… |
| CVE-2024-12104 | MEDIUM | 5.3 | 2025-01-21 | The Visual Website Collaboration, Feedback & Project Management – Atarim plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the w… |
| CVE-2025-1063 | MEDIUM | 5.3 | 2025-02-25 | The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.… |
| CVE-2025-1766 | MEDIUM | 5.3 | 2025-03-20 | The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on t… |
| CVE-2025-10186 | MEDIUM | 5.3 | 2025-10-15 | The WhyDonate – FREE Donate button – Crowdfunding – Fundraising plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the remove_row… |
| CVE-2025-14061 | MEDIUM | 5.3 | 2025-12-17 | The Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent plugin for WordPress is vulnerable to unauthorized d… |
| CVE-2025-14434 | MEDIUM | 5.3 | 2025-12-31 | The Ultimate Post Kit Addons for Elementor WordPress plugin before 4.0.16 exposes multiple AJAX “load more” endpoints such as upk_alex_grid_loadmore_posts without ensuring that po… |
| CVE-2025-11370 | MEDIUM | 5.3 | 2026-01-06 | The Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel plugin for WordPress is vulne… |
| CVE-2026-1060 | MEDIUM | 5.3 | 2026-01-28 | The WP Adminify plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.7.7 via the /wp-json/adminify/v1/get-addons-list RES… |
| CVE-2026-1219 | MEDIUM | 5.3 | 2026-02-19 | The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 4.0 to 5.10 via the 'load_… |
| CVE-2025-14755 | MEDIUM | 5.3 | 2026-05-13 | The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Price Manipulation and Insecure Direct Object Reference (IDOR) in all versions up to, and includi… |
| CVE-2013-1949 | MEDIUM | 5.0 | 2013-04-25 | Social Media Widget (social-media-widget) plugin 4.0 for WordPress contains an externally introduced modification (Trojan Horse), which allows remote attackers to force the upload… |
| CVE-2014-9034 | MEDIUM | 5.0 | 2014-11-25 | wp-includes/class-phpass.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to cause a denial of service (CPU cons… |
| CVE-2014-9283 | MEDIUM | 5.0 | 2015-03-03 | The BestWebSoft Captcha plugin before 4.0.7 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vecto… |
| CVE-2022-2554 | MEDIUM | 4.9 | 2022-10-10 | The Enable Media Replace WordPress plugin before 4.0.0 does not ensure that renamed files are moved to the Upload folder, which could allow high privilege users such as admin to m… |
| CVE-2025-5524 | MEDIUM | 4.9 | 2025-06-19 | The OceanWP theme for WordPress is vulnerable to Stored Cross-Site Scripting via the Select HTML tag in all versions up to, and including, 4.0.9 due to insufficient input sanitiza… |
| CVE-2021-24533 | MEDIUM | 4.8 | 2021-08-23 | The Maintenance WordPress plugin before 4.03 does not sanitise or escape some of its settings, allowing high privilege users such as admin to se Cross-Site Scripting payload in th… |
| CVE-2022-1456 | MEDIUM | 4.8 | 2022-05-30 | The Poll Maker WordPress plugin before 4.0.2 does not sanitise and escape some settings, which could allow high privilege users such as admin to perform Store Cross-Site Scripting… |
| CVE-2022-1029 | MEDIUM | 4.8 | 2022-06-27 | The Limit Login Attempts WordPress plugin before 4.0.72 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malici… |
| CVE-2022-2278 | MEDIUM | 4.8 | 2022-08-01 | The Featured Image from URL (FIFU) WordPress plugin before 4.0.1 does not validate, sanitise and escape some of its settings, which could allow high privilege users such as admin … |
| CVE-2022-2411 | MEDIUM | 4.8 | 2022-08-08 | The Auto More Tag WordPress plugin through 4.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Si… |
| CVE-2022-36356 | MEDIUM | 4.8 | 2022-09-09 | Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Liam Gladdy / Thirty8 Digital Culture Object plugin <= 4.0.1 at WordPress. |
| CVE-2022-3835 | MEDIUM | 4.8 | 2022-12-26 | The Kwayy HTML Sitemap WordPress plugin before 4.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-… |
| CVE-2023-1982 | MEDIUM | 4.8 | 2023-08-30 | The Front Editor WordPress plugin through 4.0.4 does not sanitize and escape some of its form settings, which could allow high-privilege users to perform Stored Cross-Site Scripti… |
| CVE-2024-6138 | MEDIUM | 4.8 | 2024-07-11 | The Secure Copy Content Protection and Content Locking WordPress plugin before 4.0.9 does not sanitise and escape some of its settings, which could allow high privilege users such… |
| CVE-2024-0974 | MEDIUM | 4.8 | 2024-07-12 | The Social Media Widget WordPress plugin before 4.0.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cro… |
| CVE-2022-0328 | MEDIUM | 4.7 | 2022-02-28 | The Simple Membership WordPress plugin before 4.0.9 does not have CSRF check when deleting members in bulk, which could allow attackers to make a logged in admin delete them via a… |
| CVE-2022-29430 | MEDIUM | 4.7 | 2022-05-20 | Cross-Site Scripting (XSS) vulnerability in KubiQ's PNG to JPG plugin <= 4.0 at WordPress via Cross-Site Request Forgery (CSRF). Vulnerable parameter &jpg_quality. |
| CVE-2023-3996 | MEDIUM | 4.4 | 2023-10-20 | The ARMember Lite - Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 4.0.16 due to insufficient in… |
| CVE-2023-6494 | MEDIUM | 4.4 | 2024-04-13 | The WPC Smart Quick View for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.0.2 due to in… |
| CVE-2025-12124 | MEDIUM | 4.4 | 2025-12-05 | The FitVids for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.0.1 due to insufficient inpu… |
| CVE-2025-12451 | MEDIUM | 4.4 | 2026-02-19 | The Easy SVG Support plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 4.0 due to insufficient input san… |
| CVE-2026-7430 | MEDIUM | 4.4 | 2026-05-29 | The Post Snippets plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.0.19. This is due to insufficient output escaping of im… |
| CVE-2013-6342 | MEDIUM | 4.3 | 2013-11-22 | Cross-site scripting (XSS) vulnerability in the Tweet Blender plugin before 4.0.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the tb_tab_index… |
| CVE-2014-9032 | MEDIUM | 4.3 | 2014-11-25 | Cross-site scripting (XSS) vulnerability in the media-playlists feature in WordPress before 3.9.x before 3.9.3 and 4.x before 4.0.1 allows remote attackers to inject arbitrary web… |
| CVE-2014-9035 | MEDIUM | 4.3 | 2014-11-25 | Cross-site scripting (XSS) vulnerability in Press This in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to inject ar… |
| CVE-2014-9036 | MEDIUM | 4.3 | 2014-11-25 | Cross-site scripting (XSS) vulnerability in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to inject arbitrary web sc… |
| CVE-2014-9039 | MEDIUM | 4.3 | 2014-11-25 | wp-login.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to reset passwords by leveraging access to an e-m… |
| CVE-2015-3439 | MEDIUM | 4.3 | 2015-08-05 | Cross-site scripting (XSS) vulnerability in the Ephox (formerly Moxiecode) plupload.flash.swf shim 2.1.2 in Plupload, as used in WordPress 3.9.x, 4.0.x, and 4.1.x before 4.1.2 and… |
| CVE-2021-24824 | MEDIUM | 4.3 | 2022-03-07 | The [field] shortcode included with the Custom Content Shortcode WordPress plugin before 4.0.1, allows authenticated users with a role as low as contributor, to access arbitrary p… |
| CVE-2021-24825 | MEDIUM | 4.3 | 2022-03-07 | The Custom Content Shortcode WordPress plugin before 4.0.2 does not validate the data passed to its load shortcode, which could allow Contributor+ (v < 4.0.1) or Admin+ (v < 4.0.2… |
| CVE-2022-4004 | MEDIUM | 4.3 | 2022-12-12 | The Donation Button WordPress plugin through 4.0.0 does not properly check for privileges and nonce tokens in its "donation_button_twilio_send_test_sms" AJAX action, which may all… |
| CVE-2023-0467 | MEDIUM | 4.3 | 2023-03-27 | The WP Dark Mode WordPress plugin before 4.0.8 does not properly sanitize the style parameter in shortcodes before using it to load a PHP template. This leads to Local File Inclus… |
| CVE-2023-2083 | MEDIUM | 4.3 | 2023-06-09 | The Essential Blocks plugin for WordPress is vulnerable to unauthorized use of functionality due to a missing capability check on the save function in versions up to, and includin… |
| CVE-2023-2084 | MEDIUM | 4.3 | 2023-06-09 | The Essential Blocks plugin for WordPress is vulnerable to unauthorized use of functionality due to a missing capability check on the get function in versions up to, and including… |
| CVE-2023-2085 | MEDIUM | 4.3 | 2023-06-09 | The Essential Blocks plugin for WordPress is vulnerable to unauthorized use of functionality due to a missing capability check on the templates function in versions up to, and inc… |
| CVE-2023-2086 | MEDIUM | 4.3 | 2023-06-09 | The Essential Blocks plugin for WordPress is vulnerable to unauthorized use of functionality due to a missing capability check on the template_count function in versions up to, an… |
| CVE-2023-2087 | MEDIUM | 4.3 | 2023-06-09 | The Essential Blocks plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.0.6. This is due to missing or incorrect nonce validation… |
| CVE-2023-4150 | MEDIUM | 4.3 | 2023-08-30 | The User Activity Tracking and Log WordPress plugin before 4.0.9 does not have proper CSRF checks when managing its license, which could allow attackers to make logged in admins u… |
| CVE-2024-6033 | MEDIUM | 4.3 | 2024-07-17 | The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to unauthorized data importation due to a missing capability check on the '… |
| CVE-2023-28165 | MEDIUM | 4.3 | 2024-12-09 | Missing Authorization vulnerability in Tech Banker Backup Bank: WordPress Backup Plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects … |
| CVE-2023-48332 | MEDIUM | 4.3 | 2024-12-09 | Missing Authorization vulnerability in Varun Sharma Mail Bank - #1 Mail SMTP Plugin for WordPress wp-mail-bank allows Exploiting Incorrectly Configured Access Control Security Lev… |
| CVE-2024-12781 | MEDIUM | 4.3 | 2025-01-07 | The Aurum - WordPress & WooCommerce Shopping Theme theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'lab_1cl_demo_in… |
| CVE-2024-12618 | MEDIUM | 4.3 | 2025-01-09 | The Newsletter2Go plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'resetStyles' AJAX action in all versions up to,… |
| CVE-2024-13526 | MEDIUM | 4.3 | 2025-03-07 | The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability checks on the export_submittio… |
| CVE-2025-1504 | MEDIUM | 4.3 | 2025-03-08 | The Post Lockdown plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.0.2 via the 'pl_autocomplete' AJAX action due to insufficient … |
| CVE-2025-8891 | MEDIUM | 4.3 | 2025-08-13 | The OceanWP theme for WordPress is vulnerable to Cross-Site Request Forgery in versions 4.0.9 to 4.1.1. This is due to missing or incorrect nonce validation on the oceanwp_notice_… |
| CVE-2025-9202 | MEDIUM | 4.3 | 2025-08-20 | The ColorMag theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the welcome_notice_import_handler() function in all versio… |
| CVE-2025-8383 | MEDIUM | 4.3 | 2025-10-31 | The Depicter plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions less than, or equal to, 4.0.4. This is due to missing or incorrect nonce validation on th… |
| CVE-2025-11373 | MEDIUM | 4.3 | 2025-11-05 | The Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel plugin for WordPress is vulne… |
| CVE-2025-14277 | MEDIUM | 4.3 | 2025-12-18 | The Prime Slider – Addons for Elementor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.0.9 via the import_elementor_temp… |
| CVE-2026-1369 | MEDIUM | 4.3 | 2026-02-22 | The Conditional CAPTCHA WordPress plugin through 4.0.0 does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue |
| CVE-2020-4050 | LOW | 3.5 | 2020-06-12 | In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plu… |
| CVE-2021-4428 | LOW | 2.7 | 2023-07-18 | A vulnerability has been found in what3words Autosuggest Plugin up to 4.0.0 on WordPress and classified as problematic. Affected by this vulnerability is the function enqueue_scri… |
| CVE-2024-6694 | LOW | 2.7 | 2024-07-20 | The WP Mail SMTP plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 4.0.1. This is due to plugin providing the SMTP password in the S… |
| CVE-2024-10672 | LOW | 2.7 | 2024-11-12 | The Multiple Page Generator Plugin – MPG plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the mpg_upsert_project_source_bl… |
| CVE-2020-4049 | LOW | 2.4 | 2020-06-12 | In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes p… |
| CVE-2023-5775 | LOW | 2.2 | 2024-02-26 | The BackWPup plugin for WordPress is vulnerable to Plaintext Storage of Backup Destination Password in all versions up to, and including, 4.0.2. This is due to to the plugin impro… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 4.0 represents a critical security liability for any active website, with 235 documented vulnerabilities waiting to be exploited by cybercriminals. The 12 critical-level flaws—including Remote Code Execution and SQL injection attacks—pose an immediate threat to your data, customer information, and site reputation. Delaying this upgrade is not an option if you want to protect your business and maintain visitor trust.
Don't let your WordPress site become another breach statistic. Use SiteRecipe.com's vulnerability scanner to identify all security weaknesses on your WordPress installation, receive personalized remediation guidance, and track your security improvements over time. Our platform makes it easy to prioritize fixes, manage updates efficiently, and ensure your website stays protected against emerging threats. Start your free security assessment today and take the first step toward a safer, more secure WordPress experience.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.