WordPress 4.3.1 is an outdated version running on approximately 153 websites worldwide, and it contains a staggering 27 security vulnerabilities that put your site at serious risk. Among these are 3 critical flaws that could allow attackers to execute SQL injection attacks, compromise your database, and steal sensitive information. If you're still using WordPress 4.3.1, your website is vulnerable to exploitation by cybercriminals who actively scan for these known weaknesses.
This comprehensive guide will help you identify whether your site is running this vulnerable version and provide you with actionable steps to protect your WordPress installation. Whether you manage a small blog or a large business website, upgrading from WordPress 4.3.1 is one of the most important security decisions you can make today.
WordPress 4.3.1 is an older version of the popular website building platform that was released several years ago. While it may have worked well when it was current, WordPress continuously releases security updates to patch newly discovered vulnerabilities. Version 4.3.1 has now reached end-of-life status, meaning it no longer receives security updates or support from the WordPress development team. Running outdated software is one of the most common reasons websites get hacked, as attackers specifically target known vulnerabilities in older versions.
Think of WordPress 4.3.1 like an old car without updated safety features—it might still run, but it's missing critical protections that modern versions have. The platform itself is excellent for building websites, but only when you keep it updated regularly. Every WordPress version includes patches for security holes discovered in previous releases, and by using 4.3.1, you're essentially leaving your digital door unlocked.
27 CVEs found. The most critical are explained below.
The Email Subscribers & Newsletters plugin has a security hole that lets attackers sneak harmful commands into your database. Think of it like someone finding a back door to your filing cabinet and being able to read or modify your files without permission.
Impact: Attackers could steal your subscriber lists, customer emails, passwords, and other sensitive information stored in your database. They could also modify or delete your data.
↗ View on NVDThe Contact Form Plugin doesn't properly clean data when you export form responses as Excel files. An attacker could hide malicious instructions in form submissions that activate when you open the exported file.
Impact: When you download and open your form submissions, the file could execute harmful commands on your computer or infect it with malware.
↗ View on NVDThe Gift Cards plugin has a critical vulnerability that lets anyone (without even logging in) inject malicious commands into your database through a hidden parameter. Attackers don't need special access—they can attack from outside your website.
Impact: Hackers can steal your gift card data, customer information, payment details, and any other information in your database. They could also modify or delete critical data.
↗ View on NVDThe Database Backup plugin is missing a security check that verifies requests are legitimate. An attacker could trick you into clicking a malicious link that performs unwanted actions on your site.
Impact: Attackers could force you to delete backups, change settings, or perform other dangerous actions without your knowledge or consent.
↗ View on NVDThe SULly plugin is missing security checks in certain areas, allowing attackers to trick logged-in users into performing unwanted actions. If you visit a malicious website while logged into your WordPress site, the attacker could make changes without your knowledge.
Impact: Attackers could modify user accounts, change settings, delete content, or take other unwanted actions on your site by exploiting your logged-in session.
↗ View on NVDThe User Frontend plugin doesn't properly validate file uploads, allowing attackers to upload dangerous files that could run code on your server. This could happen through the file upload features in the plugin.
Impact: Attackers could take complete control of your website, steal all your data, install malware, or use your server to attack other websites.
↗ View on NVDShowing first 10 of 21. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2023-6696 | HIGH | 8.1 | 2024-06-15 | The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capabil… |
| CVE-2024-13491 | HIGH | 7.5 | 2025-02-19 | The Small Package Quotes – For Customers of FedEx plugin for WordPress is vulnerable to SQL Injection via the 'edit_id' and 'dropship_edit_id' parameters in all versions up to, an… |
| CVE-2024-5151 | HIGH | 7.1 | 2024-07-13 | The SULly WordPress plugin before 4.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Script… |
| CVE-2025-4577 | MEDIUM | 6.4 | 2025-06-10 | The Smash Balloon Social Post Feed – Simple Social Feeds for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-color attribute in all versio… |
| CVE-2025-14387 | MEDIUM | 6.4 | 2025-12-15 | The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.3.1 due to insufficient input sanit… |
| CVE-2015-5714 | MEDIUM | 6.1 | 2016-05-22 | Cross-site scripting (XSS) vulnerability in WordPress before 4.3.1 allows remote attackers to inject arbitrary web script or HTML by leveraging the mishandling of unclosed HTML el… |
| CVE-2016-10875 | MEDIUM | 6.1 | 2019-08-12 | The wp-database-backup plugin before 4.3.1 for WordPress has XSS. |
| CVE-2022-1617 | MEDIUM | 6.1 | 2024-01-16 | The WP-Invoice WordPress plugin through 4.3.1 does not have CSRF check in place when updating its settings, and is lacking sanitisation as well as escaping in some of them, allowi… |
| CVE-2024-5033 | MEDIUM | 5.9 | 2024-07-13 | The SULly WordPress plugin before 4.3.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in adm… |
| CVE-2015-7989 | MEDIUM | 5.4 | 2016-05-22 | Cross-site scripting (XSS) vulnerability in the user list table in WordPress before 4.3.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted e-… |
| CVE-2023-0403 | MEDIUM | 5.4 | 2023-01-19 | The Social Warfare plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.3.1. This is due to missing or incorrect nonce validation o… |
| CVE-2025-13956 | MEDIUM | 5.3 | 2025-12-16 | The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the statistic function in all versions… |
| CVE-2026-3504 | MEDIUM | 5.3 | 2026-05-02 | The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.1… |
| CVE-2020-36831 | MEDIUM | 5.0 | 2024-10-16 | The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on multiple user privilege/security functi… |
| CVE-2022-45816 | MEDIUM | 4.8 | 2022-12-06 | Auth. Stored Cross-Site Scripting (XSS) vulnerability in GD bbPress Attachments plugin <= 4.3.1 on WordPress. |
| CVE-2024-5032 | MEDIUM | 4.7 | 2024-07-13 | The SULly WordPress plugin before 4.3.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be … |
| CVE-2026-6813 | MEDIUM | 4.4 | 2026-05-12 | The Continually plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.3.1 due to insufficient input sanitiza… |
| CVE-2015-5715 | MEDIUM | 4.3 | 2016-05-22 | The mw_editPost function in wp-includes/class-wp-xmlrpc-server.php in the XMLRPC subsystem in WordPress before 4.3.1 allows remote authenticated users to bypass intended access re… |
| CVE-2022-0313 | MEDIUM | 4.3 | 2022-02-21 | The Float menu WordPress plugin before 4.3.1 does not have CSRF check in place when deleting menu, which could allow attackers to make a logged in admin delete them via a CSRF att… |
| CVE-2024-12532 | MEDIUM | 4.3 | 2025-01-07 | The BWD Elementor Addons plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.18 in widgets/bwdeb-content-switcher.php. T… |
| CVE-2026-6393 | MEDIUM | 4.3 | 2026-04-24 | The BetterDocs plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 4.3.11. This is due to a missing capability check in the generate_openai… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 4.3.1 poses an unacceptable security risk to your website and your visitors' data. With 3 critical vulnerabilities including SQL injection flaws that could expose your entire database, continuing to use this version is essentially inviting hackers to compromise your site. The good news is that upgrading to a current WordPress version is straightforward and takes just minutes, immediately eliminating these known threats and protecting your digital assets.
Don't wait for a breach to happen—take action today. Use SiteRecipe.com's free vulnerability scanner to identify all security issues on your WordPress site, get personalized upgrade recommendations, and access step-by-step guides to keep your website safe. Our platform helps thousands of website owners monitor their WordPress security, detect vulnerabilities before attackers find them, and maintain compliance with security best practices. Visit SiteRecipe.com now for a free security audit of your website.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.