WordPress 4.0.1 contains a significant security risk with 56 documented vulnerabilities, including 1 critical flaw and 10 high-severity issues that could compromise your website. Currently, approximately 30 websites are still running this vulnerable version, making them prime targets for cyberattacks. This comprehensive guide will help you identify if your site is affected and provide step-by-step instructions to secure your installation.
The most dangerous vulnerability is CVE-2023-3197, a critical unauthenticated SQL injection in the MStore API plugin that could allow attackers to access your entire database without any authentication. Additionally, multiple CSRF vulnerabilities and file upload exploits could grant attackers unauthorized access to your site's administrative functions and sensitive data.
WordPress 4.0.1 is an older version of the world's most popular website platform, powering over 43% of all websites on the internet. It's designed to help anyone create and manage content without needing technical coding knowledge. However, this version was released over a decade ago and lacks the modern security protections that newer versions provide.
Think of WordPress like a house: older versions have outdated locks and security systems that hackers have learned how to bypass. WordPress 4.0.1 specifically has multiple doors (vulnerabilities) that attackers can use to break in, steal information, or take control of your website. While it may have worked fine when released, cybercriminals have since discovered 56 different ways to exploit it, making it extremely dangerous to run in 2024 or 2025.
56 CVEs found. The most critical are explained below.
The MStore API plugin has a serious flaw that allows hackers to bypass login requirements and directly access your website's database. Attackers can extract sensitive information like customer data, passwords, and business information without needing any credentials.
Impact: Hackers could steal all your customer data, payment information, and confidential business records. Your website could be completely compromised and shut down.
↗ View on NVDThe SEO Backlinks plugin lacks proper security checks, allowing attackers to trick your users into running malicious code without their knowledge. This happens through a technique called 'Cross-Site Request Forgery' where hackers can force actions on behalf of your visitors.
Impact: Your users could be redirected to malicious websites, have their accounts compromised, or have malware installed on their computers.
↗ View on NVDThe Stream plugin doesn't properly verify requests to change important website settings. Attackers can trick your site into making unwanted changes to critical configurations without your knowledge or authorization.
Impact: Hackers could alter your website settings, disable security features, create unauthorized admin accounts, or modify how your site functions.
↗ View on NVDThe Streamit theme doesn't properly check what files users can upload to your server. This allows someone with even basic user access to upload dangerous files like viruses or backdoors.
Impact: Malicious files could be uploaded to take over your entire website, steal data, or use your server to attack other websites.
↗ View on NVDThe BackWPup backup plugin allows attackers to save backup files in unintended locations on your server. Combined with weak default settings, this could expose your complete website backups in accessible locations.
Impact: Your entire website including databases and files could be accessed, copied, or deleted by attackers.
↗ View on NVDThe WooCommerce PayPal Payments plugin doesn't properly verify that requests to create or view orders actually come from authorized users. Attackers can manipulate orders and access sensitive payment and customer information.
Impact: Hackers could create fake orders, change prices, access customer payment details, or bypass payment requirements entirely.
↗ View on NVDShowing first 10 of 50. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2024-13744 | HIGH | 8.1 | 2025-04-04 | The Booster for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the validate_product_input_fields_on_add_to_cart fu… |
| CVE-2020-36716 | HIGH | 7.3 | 2023-06-07 | The WP Activity Log plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the setup_page function in versions up to, and including, 4.0.1… |
| CVE-2024-13704 | HIGH | 7.2 | 2025-02-18 | The Super Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'st_user_title' parameter in all versions up to, and including, 4.0.1 due to insuf… |
| CVE-2024-13708 | HIGH | 7.2 | 2025-04-04 | The Booster for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in versions 4.0.1 to 7.2.4 due to insufficient input sanitizatio… |
| CVE-2025-68887 | HIGH | 7.1 | 2026-01-08 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CMSJunkie - WordPress Business Directory Plugins WP-BusinessDirectory wp-busi… |
| CVE-2014-9037 | MEDIUM | 6.8 | 2014-11-25 | WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to obtain access to an account idle since 2008 by leveraging an i… |
| CVE-2023-5505 | MEDIUM | 6.8 | 2024-08-17 | The BackWPup plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.0.1 via the job-specific backup folder. This allows authenticated attack… |
| CVE-2024-34801 | MEDIUM | 6.5 | 2024-06-03 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mervin Praison Praison SEO WordPress seo-wordpress allows DOM-Based XSS.This … |
| CVE-2025-2519 | MEDIUM | 6.5 | 2025-04-08 | The Sreamit theme for WordPress is vulnerable to arbitrary file downloads in all versions up to, and including, 4.0.1. This is due to insufficient file validation in the 'st_send_… |
| CVE-2025-13880 | MEDIUM | 6.5 | 2025-12-17 | The WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) plugin for WordPress is vulnerable to unauthorized a… |
| CVE-2014-9038 | MEDIUM | 6.4 | 2014-11-25 | wp-includes/http.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to conduct server-side request forgery (SSRF) … |
| CVE-2024-1328 | MEDIUM | 6.4 | 2024-03-12 | The Newsletter2Go plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘style’ parameter in all versions up to, and including, 4.0.14 due to insufficient inpu… |
| CVE-2024-5571 | MEDIUM | 6.4 | 2024-06-05 | The EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to Sto… |
| CVE-2024-8959 | MEDIUM | 6.4 | 2024-10-24 | The WP Adminify – Custom WordPress Dashboard, Login and Admin Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up … |
| CVE-2024-12499 | MEDIUM | 6.4 | 2025-01-07 | The WP jQuery DataTable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp_jdt' shortcode in all versions up to, and including, 4.0.1 due to in… |
| CVE-2025-5684 | MEDIUM | 6.4 | 2025-07-29 | The MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `mf-template` DOM Element i… |
| CVE-2025-8315 | MEDIUM | 6.4 | 2025-08-05 | The WP Easy Contact plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘noaccess_msg’ parameter in all versions up to, and including, 4.0.1 due to insuffici… |
| CVE-2025-10128 | MEDIUM | 6.4 | 2025-09-30 | The Eulerpool Research Systems plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'aaq' shortcode in all versions up to, and including, 4.0.1 due t… |
| CVE-2026-7509 | MEDIUM | 6.4 | 2026-05-22 | The KIA Subtitle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `the-subtitle` shortcode `before` and `after` attributes in all versions up to,… |
| CVE-2016-10871 | MEDIUM | 6.1 | 2019-08-13 | The mailchimp-for-wp plugin before 4.0.11 for WordPress has XSS on the integration settings page. |
| CVE-2022-2241 | MEDIUM | 6.1 | 2022-08-01 | The Featured Image from URL (FIFU) WordPress plugin before 4.0.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admi… |
| CVE-2021-24918 | MEDIUM | 5.4 | 2021-11-29 | The Smash Balloon Social Post Feed WordPress plugin before 4.0.1 did not have any privilege or nonce validation before saving the plugin's setting. As a result, any logged-in user… |
| CVE-2021-24871 | MEDIUM | 5.4 | 2021-12-13 | The Get Custom Field Values WordPress plugin before 4.0.1 does not escape custom fields before outputting them in the page, which could allow users with a role as low as contribut… |
| CVE-2021-24826 | MEDIUM | 5.4 | 2022-03-07 | The Custom Content Shortcode WordPress plugin before 4.0.2 does not escape custom fields before outputting them, which could allow Contributor+ (v < 4.0.1) or Admin+ (v < 4.0.2) u… |
| CVE-2022-4578 | MEDIUM | 5.4 | 2023-01-16 | The Video Conferencing with Zoom WordPress plugin before 4.0.10 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could … |
| CVE-2024-7424 | MEDIUM | 5.4 | 2024-11-01 | The Multiple Page Generator Plugin – MPG plugin for WordPress is vulnerable to unauthorized modification of and access to data due to a missing capability check on several functio… |
| CVE-2022-0188 | MEDIUM | 5.3 | 2022-02-14 | The CMP WordPress plugin before 4.0.19 allows any user, even not logged in, to arbitrarily change the coming soon page layout. |
| CVE-2024-1109 | MEDIUM | 5.3 | 2024-02-07 | The Podlove Podcast Publisher plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the init_download() and init() functions in al… |
| CVE-2024-1110 | MEDIUM | 5.3 | 2024-02-07 | The Podlove Podcast Publisher plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the init() function in all versions up t… |
| CVE-2024-0975 | MEDIUM | 5.3 | 2024-02-28 | The WordPress Access Control plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.13 via the REST API. This makes it pos… |
| CVE-2025-10186 | MEDIUM | 5.3 | 2025-10-15 | The WhyDonate – FREE Donate button – Crowdfunding – Fundraising plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the remove_row… |
| CVE-2025-14434 | MEDIUM | 5.3 | 2025-12-31 | The Ultimate Post Kit Addons for Elementor WordPress plugin before 4.0.16 exposes multiple AJAX “load more” endpoints such as upk_alex_grid_loadmore_posts without ensuring that po… |
| CVE-2025-14755 | MEDIUM | 5.3 | 2026-05-13 | The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Price Manipulation and Insecure Direct Object Reference (IDOR) in all versions up to, and includi… |
| CVE-2014-9034 | MEDIUM | 5.0 | 2014-11-25 | wp-includes/class-phpass.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to cause a denial of service (CPU cons… |
| CVE-2022-2278 | MEDIUM | 4.8 | 2022-08-01 | The Featured Image from URL (FIFU) WordPress plugin before 4.0.1 does not validate, sanitise and escape some of its settings, which could allow high privilege users such as admin … |
| CVE-2022-36356 | MEDIUM | 4.8 | 2022-09-09 | Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Liam Gladdy / Thirty8 Digital Culture Object plugin <= 4.0.1 at WordPress. |
| CVE-2023-3996 | MEDIUM | 4.4 | 2023-10-20 | The ARMember Lite - Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 4.0.16 due to insufficient in… |
| CVE-2025-12124 | MEDIUM | 4.4 | 2025-12-05 | The FitVids for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.0.1 due to insufficient inpu… |
| CVE-2026-7430 | MEDIUM | 4.4 | 2026-05-29 | The Post Snippets plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.0.19. This is due to insufficient output escaping of im… |
| CVE-2014-9032 | MEDIUM | 4.3 | 2014-11-25 | Cross-site scripting (XSS) vulnerability in the media-playlists feature in WordPress before 3.9.x before 3.9.3 and 4.x before 4.0.1 allows remote attackers to inject arbitrary web… |
| CVE-2014-9035 | MEDIUM | 4.3 | 2014-11-25 | Cross-site scripting (XSS) vulnerability in Press This in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to inject ar… |
| CVE-2014-9036 | MEDIUM | 4.3 | 2014-11-25 | Cross-site scripting (XSS) vulnerability in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to inject arbitrary web sc… |
| CVE-2014-9039 | MEDIUM | 4.3 | 2014-11-25 | wp-login.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to reset passwords by leveraging access to an e-m… |
| CVE-2021-24824 | MEDIUM | 4.3 | 2022-03-07 | The [field] shortcode included with the Custom Content Shortcode WordPress plugin before 4.0.1, allows authenticated users with a role as low as contributor, to access arbitrary p… |
| CVE-2021-24825 | MEDIUM | 4.3 | 2022-03-07 | The Custom Content Shortcode WordPress plugin before 4.0.2 does not validate the data passed to its load shortcode, which could allow Contributor+ (v < 4.0.1) or Admin+ (v < 4.0.2… |
| CVE-2023-48332 | MEDIUM | 4.3 | 2024-12-09 | Missing Authorization vulnerability in Varun Sharma Mail Bank - #1 Mail SMTP Plugin for WordPress wp-mail-bank allows Exploiting Incorrectly Configured Access Control Security Lev… |
| CVE-2024-12618 | MEDIUM | 4.3 | 2025-01-09 | The Newsletter2Go plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'resetStyles' AJAX action in all versions up to,… |
| CVE-2025-9202 | MEDIUM | 4.3 | 2025-08-20 | The ColorMag theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the welcome_notice_import_handler() function in all versio… |
| CVE-2021-4428 | LOW | 2.7 | 2023-07-18 | A vulnerability has been found in what3words Autosuggest Plugin up to 4.0.0 on WordPress and classified as problematic. Affected by this vulnerability is the function enqueue_scri… |
| CVE-2024-6694 | LOW | 2.7 | 2024-07-20 | The WP Mail SMTP plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 4.0.1. This is due to plugin providing the SMTP password in the S… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 4.0.1 represents a critical security threat with 56 known vulnerabilities waiting to be exploited by attackers. The longer you delay updating, the higher your risk of data breach, malware infection, or complete loss of site control. By following this guide, you can secure your website and protect your visitors' data within the next few hours.
Don't leave your WordPress site vulnerable another day. Use SiteRecipe.com's website security scanning tool to continuously monitor your WordPress installation for vulnerabilities, receive instant alerts about new threats, and get automated recommendations for patches and updates. Our platform specifically tracks WordPress CVEs and plugin vulnerabilities so you'll never be caught running dangerous versions again. Start your free security scan today at SiteRecipe.com.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.