WordPress 4.1.1 is an older version of WordPress that contains 43 known security vulnerabilities, including 2 critical flaws that could allow attackers to take over your website. If your site is still running this outdated version, you're at serious risk of SQL injection attacks, unauthorized plugin installation, and remote code execution. This guide will help you identify if you're vulnerable and show you exactly how to fix it.
Security vulnerabilities in WordPress versions are documented in the CVE (Common Vulnerabilities and Exposures) database. The 43 flaws in WordPress 4.1.1 include dangerous issues affecting popular plugins like Popup Builder, Estatik Real Estate, and Coming Soon plugins. With 34 websites still using this vulnerable version, attackers are actively targeting this outdated software.
The good news is that upgrading to a newer WordPress version takes just minutes and will protect your site from nearly all of these threats. Let's walk through exactly how to check your version and apply the necessary security updates.
WordPress 4.1.1 is an extremely outdated version of WordPress that was released years ago. WordPress is the software that powers over 43% of all websites on the internet—it's the platform you use to create and manage your website's content, design, and functionality. Think of it like the operating system for your website. Just like you update your phone or computer regularly, WordPress needs regular updates to stay secure and work properly.
Each version of WordPress is designed to fix bugs, add new features, and most importantly, patch security holes. WordPress 4.1.1 was released during an era when security threats were less advanced, so it lacks protections against modern attack methods. Running an outdated WordPress version is like leaving your front door unlocked—attackers know exactly how to break in because the vulnerabilities are publicly documented and easy to exploit.
43 CVEs found. The most critical are explained below.
A popular popup plugin has a security flaw that allows attackers to steal your subscriber database or inject malicious code into your website. Hackers can exploit this without needing to log in to your admin panel.
Impact: Your customer email list could be stolen, and attackers could deface your website or redirect visitors to malicious sites.
↗ View on NVDThe Estatik Real Estate plugin stores data in cookies that isn't properly validated. Attackers can manipulate these cookies to run malicious code on your website without needing an account.
Impact: Hackers could take control of your website, steal data, or inject malware that affects all your visitors.
↗ View on NVDThe PostX plugin allows attackers to install and activate unauthorized plugins on your website without permission. This bypasses normal security checks that require admin approval.
Impact: Malicious plugins could be secretly installed to steal data, display ads, or completely compromise your website.
↗ View on NVDThe Import & Export plugin has a flaw allowing attackers to run database commands and gain administrative access without proper authorization. The plugin doesn't verify user permissions before allowing sensitive actions.
Impact: Attackers could access your entire database, modify content, create rogue admin accounts, or steal all your website data.
↗ View on NVDThe Constant Contact email marketing plugin improperly handles data, allowing attackers to inject malicious code that executes on your server. This is a technical vulnerability that doesn't require hacker skills to exploit.
Impact: Your website could be completely compromised, allowing hackers to steal customer data or turn your site into a spam distribution center.
↗ View on NVDThe CMP Coming Soon plugin accepts file uploads without proper security checks. Attackers can upload malicious files to run code directly on your server and take over your website.
Impact: Hackers could upload ransomware, steal all your files, or completely hijack your website for illegal activities.
↗ View on NVDShowing first 10 of 37. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2024-24796 | HIGH | 8.2 | 2024-02-12 | Deserialization of Untrusted Data vulnerability in MagePeople Team Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin.This issue affects Event… |
| CVE-2023-0812 | HIGH | 7.5 | 2023-05-15 | The Active Directory Integration / LDAP Integration WordPress plugin before 4.1.1 does not have proper authorization or nonce values for some POST requests, leading to unauthentic… |
| CVE-2023-5003 | HIGH | 7.5 | 2023-10-16 | The Active Directory Integration / LDAP Integration WordPress plugin before 4.1.10 stores sensitive LDAP logs in a buffer file when an administrator wants to export said logs. Unf… |
| CVE-2024-8352 | HIGH | 7.5 | 2024-10-03 | The Social Web Suite – Social Media Auto Post, Social Media Auto Publish plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 4.1.11 via… |
| CVE-2025-4206 | HIGH | 7.2 | 2025-05-09 | The WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file pa… |
| CVE-2025-32520 | HIGH | 7.1 | 2025-04-17 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in M. Ali Saleem WordPress Health and Server Condition – Integrated with Google … |
| CVE-2016-11011 | MEDIUM | 6.5 | 2019-09-20 | The wp-invoice plugin before 4.1.1 for WordPress has wpi_update_user_option privilege escalation. |
| CVE-2023-6048 | MEDIUM | 6.5 | 2024-01-15 | The Estatik Real Estate Plugin WordPress plugin before 4.1.1 does not prevent user with low privileges on the site, like subscribers, from setting any of the site's options to 1, … |
| CVE-2024-13341 | MEDIUM | 6.5 | 2025-02-01 | The MultiLoca - WooCommerce Multi Locations Inventory Management plugin for WordPress is vulnerable to SQL Injection via the 'data-id' parameter in all versions up to, and includi… |
| CVE-2024-5223 | MEDIUM | 6.4 | 2024-05-30 | The Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's file uploading feature in all v… |
| CVE-2024-5259 | MEDIUM | 6.4 | 2024-06-06 | The MultiVendorX Marketplace – WooCommerce MultiVendor Marketplace Solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hover_animation’ parameter i… |
| CVE-2026-4341 | MEDIUM | 6.4 | 2026-04-08 | The Prime Slider – Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'follow_us_text' setting of the Mount widget in all versions up t… |
| CVE-2019-25742 | MEDIUM | 6.4 | 2026-06-04 | WordPress Theme Zoner Real Estate 4.1.1 contains a persistent cross-site scripting vulnerability that allows authenticated agents to inject malicious scripts through the Address i… |
| CVE-2021-24351 | MEDIUM | 6.1 | 2021-06-14 | The theplus_more_post AJAX action of The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.12 did not properly sanitise some of its fields, leading to a reflected… |
| CVE-2021-24358 | MEDIUM | 6.1 | 2021-06-14 | The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.10 did not validate a redirect parameter on a specifically crafted URL before redirecting the user to it, le… |
| CVE-2021-24466 | MEDIUM | 6.1 | 2021-08-16 | The Verse-O-Matic WordPress plugin through 4.1.1 does not have any CSRF checks in place, allowing attackers to make logged in administrators do unwanted actions, such as add/edit/… |
| CVE-2022-1724 | MEDIUM | 6.1 | 2022-06-13 | The Simple Membership WordPress plugin before 4.1.1 does not properly sanitise and escape parameters before outputting them back in AJAX actions, leading to Reflected Cross-Site S… |
| CVE-2023-6050 | MEDIUM | 6.1 | 2024-01-15 | The Estatik Real Estate Plugin WordPress plugin before 4.1.1 does not sanitise and escape various parameters and generated URLs before outputting them back in attributes, leading … |
| CVE-2024-11329 | MEDIUM | 6.1 | 2024-12-07 | The Comfino Payment Gateway plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on… |
| CVE-2024-13112 | MEDIUM | 6.1 | 2025-01-31 | The WP MediaTagger WordPress plugin through 4.1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which… |
| CVE-2021-25065 | MEDIUM | 5.4 | 2022-01-17 | The Smash Balloon Social Post Feed WordPress plugin before 4.1.1 was affected by a reflected XSS in custom-facebook-feed in cff-top admin page. |
| CVE-2022-29495 | MEDIUM | 5.4 | 2022-07-22 | Cross-Site Request Forgery (CSRF) vulnerability in Sygnoos Popup Builder plugin <= 4.1.11 at WordPress allows an attacker to update plugin settings. |
| CVE-2022-4667 | MEDIUM | 5.4 | 2023-01-30 | The RSS Aggregator by Feedzy WordPress plugin before 4.1.1 does not validate and escape some of its block options before outputting them back in the page, which could allow users … |
| CVE-2024-13101 | MEDIUM | 5.4 | 2025-01-31 | The WP MediaTagger WordPress plugin through 4.1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is e… |
| CVE-2016-11006 | MEDIUM | 5.3 | 2019-09-20 | The wp-invoice plugin before 4.1.1 for WordPress has incorrect access control for admin_init settings changes. |
| CVE-2016-11007 | MEDIUM | 5.3 | 2019-09-20 | The wp-invoice plugin before 4.1.1 for WordPress has incorrect access control over wpi_user_id for invoice retrieval. |
| CVE-2016-11008 | MEDIUM | 5.3 | 2019-09-20 | The wp-invoice plugin before 4.1.1 for WordPress has incorrect access control over wpi_paypal payer metadata updates. |
| CVE-2016-11009 | MEDIUM | 5.3 | 2019-09-20 | The wp-invoice plugin before 4.1.1 for WordPress has incorrect access control over wpi_interkassa payer metadata updates. |
| CVE-2016-11010 | MEDIUM | 5.3 | 2019-09-20 | The wp-invoice plugin before 4.1.1 for WordPress has incorrect access control over wpi_twocheckout payer metadata updates. |
| CVE-2021-24359 | MEDIUM | 5.3 | 2021-06-14 | The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.11 did not properly check that a user requesting a password reset was the legitimate user, allowing an attac… |
| CVE-2024-8513 | MEDIUM | 5.3 | 2024-10-10 | The QA Analytics – Web Analytics Tool with Heatmaps & Session Replay Across All Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capa… |
| CVE-2025-7499 | MEDIUM | 5.3 | 2025-08-16 | The BetterDocs – Advanced AI-Driven Documentation, FAQ & Knowledge Base Tool for Elementor & Gutenberg with Encyclopedia, AI Support, Instant Answers plugin for WordPress is vulne… |
| CVE-2022-1894 | MEDIUM | 4.8 | 2022-07-11 | The Popup Builder WordPress plugin before 4.1.11 does not escape and sanitize some settings, which could allow high privilege users to perform Stored Cross-Site Scripting attacks … |
| CVE-2022-38058 | MEDIUM | 4.3 | 2022-09-09 | Authenticated (subscriber+) Plugin Setting change vulnerability in WP Shamsi plugin <= 4.1.1 at WordPress. |
| CVE-2025-49435 | MEDIUM | 4.3 | 2025-06-06 | Cross-Site Request Forgery (CSRF) vulnerability in Hasina77 Wp Easy Allopass wordpress-easy-allopass allows Cross Site Request Forgery.This issue affects Wp Easy Allopass: from n/… |
| CVE-2025-8891 | MEDIUM | 4.3 | 2025-08-13 | The OceanWP theme for WordPress is vulnerable to Cross-Site Request Forgery in versions 4.0.9 to 4.1.1. This is due to missing or incorrect nonce validation on the oceanwp_notice_… |
| CVE-2023-4506 | LOW | 2.2 | 2023-09-27 | The Active Directory Integration / LDAP Integration plugin for WordPress is vulnerable to LDAP Passback in versions up to, and including, 4.1.10. This is due to insufficient valid… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
Running WordPress 4.1.1 puts your website at critical risk. With 43 known vulnerabilities including 2 critical flaws, your site could be compromised through SQL injection attacks, unauthorized plugin installation, or remote code execution. The hackers exploiting these vulnerabilities are actively targeting outdated sites, and the process to fix it is surprisingly simple—most updates complete in under 5 minutes.
Don't wait until your site gets hacked. Use SiteRecipe.com to continuously monitor your WordPress version, plugins, and security status. Our platform automatically alerts you to vulnerabilities affecting your site and provides one-click guidance for fixing them. Protect your website today—sign up for SiteRecipe.com and get instant visibility into your security posture with detailed reports and actionable recommendations.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.