WordPress 4.2.2 is an older version of the world's most popular website platform, released years ago. If your website still runs this version, you're at significant risk. Security researchers have discovered 28 vulnerabilities in this release, including 1 critical flaw that could allow hackers to take complete control of your site. This guide will help you understand these threats and protect your website immediately.
Despite being outdated, approximately 77 websites worldwide still use WordPress 4.2.2. These sites face daily threats from automated attacks targeting known vulnerabilities. The good news is that identifying and fixing these issues is straightforward if you follow the right steps. We'll walk you through everything you need to know.
WordPress 4.2.2 is an older version of WordPress, the software that powers over 40% of all websites on the internet. WordPress allows non-technical users to create, manage, and publish content on their websites without coding knowledge. Version 4.2.2 was released in 2015 and hasn't received security updates in years. Think of WordPress as the foundation of your home—if you don't maintain it, cracks will develop and let intruders in.
When WordPress releases new versions, they fix security problems discovered in older versions. Using outdated software is like leaving your front door unlocked. Hackers use automated tools to scan the internet for websites running vulnerable versions like 4.2.2, then exploit known weaknesses to steal data, inject malware, or deface content. Updating to the latest WordPress version closes these doors and protects your visitors' information.
28 CVEs found. The most critical are explained below.
The Simple File List plugin has a serious flaw that lets anyone upload a file and trick the system into running it as code. This happens because the plugin doesn't properly check file types when renaming uploaded files. Attackers don't need a login to exploit this.
Impact: A hacker could take complete control of your website, steal data, inject malware, or use your site to attack other websites.
↗ View on NVDThe Widget Options plugin processes display settings in an unsafe way that allows attackers to inject and run malicious code. This affects how widgets appear on your pages and can be exploited without requiring special permissions.
Impact: Attackers could execute harmful code on your server, potentially compromising your entire website and visitor data.
↗ View on NVDWordPress can execute code when you upload files with specially crafted names to the Media section. Only users who can upload files (like editors or admins) can trigger this, but it poses a risk if these accounts are compromised.
Impact: Someone with upload access could run malicious code on your server and compromise your website.
↗ View on NVDThe Optimole image optimization plugin doesn't properly filter input in its search feature, allowing attackers to inject malicious code that runs when others view the affected pages. This code stays permanently stored on your site.
Impact: Attackers could inject malware or steal information from your visitors' browsers.
↗ View on NVDAuthors and other users with upload permissions can inject malicious JavaScript code into media attachment pages. When an admin views these pages, the code runs with admin privileges, potentially granting attackers higher access.
Impact: A compromised author account could be used to gain admin-level access to your website.
↗ View on NVDThe PDF24 plugin lacks a security check that prevents attackers from tricking logged-in admins into changing plugin settings without their knowledge. An attacker could send a malicious link that changes settings when clicked.
Impact: Attackers could alter how your PDF conversion plugin works, potentially injecting malware or disrupting your site functionality.
↗ View on NVDShowing first 10 of 22. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2022-1828 | MEDIUM | 6.5 | 2022-06-20 | The PDF24 Articles To PDF WordPress plugin through 4.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change… |
| CVE-2020-11030 | MEDIUM | 6.4 | 2020-04-30 | In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authent… |
| CVE-2025-14865 | MEDIUM | 6.4 | 2026-01-28 | The Passster – Password Protect Pages and Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'content_protector' shortcode in all versions … |
| CVE-2015-8834 | MEDIUM | 6.1 | 2016-05-22 | Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a long comment that … |
| CVE-2020-11027 | MEDIUM | 6.1 | 2020-04-30 | In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password. Access would be needed to the email account of the user… |
| CVE-2020-11025 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires … |
| CVE-2020-11028 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been pat… |
| CVE-2020-11029 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been… |
| CVE-2020-4048 | MEDIUM | 5.7 | 2020-06-12 | In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect wh… |
| CVE-2020-4046 | MEDIUM | 5.4 | 2020-06-12 | In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor… |
| CVE-2022-4469 | MEDIUM | 5.4 | 2023-01-16 | The Simple Membership WordPress plugin before 4.2.2 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users … |
| CVE-2021-36847 | MEDIUM | 4.8 | 2022-08-22 | Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WebbaPlugins Webba Booking plugin <= 4.2.21 at WordPress. |
| CVE-2022-3892 | MEDIUM | 4.8 | 2022-12-05 | The WP OAuth Server (OAuth Authentication) WordPress plugin before 4.2.2 does not sanitize and escape Client IDs, which could allow high privilege users such as admin to perform S… |
| CVE-2011-3855 | MEDIUM | 4.3 | 2011-09-28 | Cross-site scripting (XSS) vulnerability in the F8 Lite theme before 4.2.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter. |
| CVE-2015-3429 | MEDIUM | 4.3 | 2015-06-17 | Cross-site scripting (XSS) vulnerability in example.html in Genericons before 3.3.1, as used in WordPress before 4.2.2, allows remote attackers to inject arbitrary web script or H… |
| CVE-2015-5151 | MEDIUM | 4.3 | 2015-06-30 | Cross-site scripting (XSS) vulnerability in the Slider Revolution (revslider) plugin 4.2.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the cli… |
| CVE-2022-38137 | MEDIUM | 4.3 | 2022-11-08 | Cross-Site Request Forgery (CSRF) vulnerability in Analytify plugin <= 4.2.2 on WordPress. |
| CVE-2024-1995 | MEDIUM | 4.3 | 2024-03-20 | The Smart Custom Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relational_posts_search() function in all versio… |
| CVE-2025-1383 | MEDIUM | 4.3 | 2025-03-06 | The Podlove Podcast Publisher plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.2. This is due to missing or incorrect non… |
| CVE-2025-4101 | MEDIUM | 4.3 | 2025-05-17 | The MultiVendorX – WooCommerce Multivendor Marketplace Solutions plugin for WordPress is vulnerable to unauthorized loss of data due to a misconfigured capability check on the 'de… |
| CVE-2020-4050 | LOW | 3.5 | 2020-06-12 | In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plu… |
| CVE-2020-4049 | LOW | 2.4 | 2020-06-12 | In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes p… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 4.2.2 contains serious security vulnerabilities that put your website, customer data, and reputation at risk. The 1 critical vulnerability alone could give hackers complete access to your site. Updating to the latest WordPress version takes just minutes and is one of the most important maintenance tasks you can do. Don't wait for a breach—take action today.
SiteRecipe.com offers free security scanning that instantly tells you which WordPress version you're running and alerts you to any known vulnerabilities on your site. Our experts can also guide you through the update process step-by-step. Visit SiteRecipe.com now to scan your website for free and get personalized recommendations to keep your site secure, fast, and fully protected against threats.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.