    Home /
    Blog /
    wordpress 4.3.5
  

Security Advisory

WordPress 4.3.5 Security: 6 CVEs & How to Fix Them

    📅 June 07, 2026
    ·⏱ 5 min read
    ·🔒 SiteRecipe Security Team
  

⚠ 4 websites still running wordpress 4.3.5 → View full list

Total

High

Medium

WordPress 4.3.5 is an older version of the popular website platform that powers millions of sites worldwide. While it served many websites well when released, security researchers have since discovered vulnerabilities that put sites at risk. Currently, only 4 websites are still using this outdated version, but if yours is one of them, immediate action is needed.

Our security team has identified 6 vulnerabilities in WordPress 4.3.5, including 2 high-severity issues and 4 medium-severity ones. These vulnerabilities affect popular plugins and could allow attackers to upload malicious files, steal data, or take control of your website. This guide will help you understand these risks and take steps to secure your site.

If you're unsure whether your WordPress installation is vulnerable, SiteRecipe.com's security scanner can identify all potential threats in minutes. Let's explore what you need to know and how to fix these issues.

What is Wordpress 4.3.5?

WordPress 4.3.5 is an older release of WordPress, the content management system used to build and manage websites. Think of it as the 'backbone' of your site—it handles everything from displaying your content to managing user accounts and plugins. This particular version was released several years ago and is no longer receiving regular security updates from the WordPress team.

When WordPress versions become outdated, they're more likely to have unpatched security holes. Plugins (small software add-ons that add features to your site) built for older WordPress versions can also contain vulnerabilities. The combination of an outdated core system and potentially vulnerable plugins creates a perfect storm for cybercriminals looking to compromise websites. This is why updating WordPress regularly is one of the most important steps you can take to protect your site.

Key Vulnerabilities in Wordpress 4.3.5

6 CVEs found. The most critical are explained below.

HIGH CVE-2023-6827 7.5/10 · CVSS v3.1 ⏱ Immediate

Essential Real Estate Plugin - Unauthorized File Upload Flaw

The Essential Real Estate plugin has a security weakness that allows people with basic user accounts to upload files that shouldn't be allowed. An attacker could upload malicious files to your server, potentially taking control of your website.

Impact: Hackers could upload harmful files that give them access to your entire website, steal customer data, or deface your pages.

↗ View on NVD

HIGH CVE-2023-4719 7.2/10 · CVSS v3.1 ⏱ Immediate

Simple Membership Plugin - Code Injection Vulnerability

The Simple Membership plugin doesn't properly filter user input in one of its features, allowing attackers to inject malicious code into your website. Anyone can exploit this without needing a user account.

Impact: Attackers could inject code that steals visitor data, redirects users to malicious sites, or spreads malware through your website.

↗ View on NVD

MEDIUM CVE-2021-24670 5.4/10 · CVSS v3.1 ⏱ Within 7 days

CoolClock Plugin - Contributor-Level Security Bypass

The CoolClock plugin has a flaw where even users with basic contributor permissions can inject harmful code into your website content. This code would affect all visitors who view that content.

Impact: Low-level users could compromise your website's security and damage your reputation by injecting malicious content.

↗ View on NVD

MEDIUM CVE-2021-36843 4.8/10 · CVSS v3.1 ⏱ Within 7 days

Floating Social Media Icon Plugin - Admin Account Risk

The Floating Social Media Icon plugin has a vulnerability in its settings that allows admin users to accidentally or maliciously inject harmful code into your website.

Impact: If an admin account is compromised, an attacker could inject code that affects all your website visitors.

↗ View on NVD

MEDIUM CVE-2024-9428 4.8/10 · CVSS v3.1 ⏱ Within 7 days

Popup Builder Plugin - Admin Code Injection Flaw

The Popup Builder plugin has a weakness in its settings panel that allows administrator-level users to inject malicious code, even with standard security restrictions in place.

Impact: Compromised admin accounts could inject harmful code affecting all visitors, especially problematic on multi-site installations.

↗ View on NVD

MEDIUM CVE-2026-7648 4.3/10 · CVSS v3.1 ⏱ Immediate

LearnPress LMS - Payment System Bypass Vulnerability

The LearnPress course plugin has a flaw in its payment system that allows attackers to manipulate course payments through the site's API. Students could potentially access paid courses without paying.

Impact: You could lose course revenue as attackers gain unauthorized access to paid content without completing payment.

↗ View on NVD

Is your website running Wordpress 4.3.5?

Scan your site in 30 seconds. Used by 500+ web agencies.

Scan my website — free 📋 See all 4 affected sites

How to Check If Your Website Is Affected

1 Log in to your WordPress admin dashboard and scroll to the bottom of the left sidebar to find your WordPress version number
2 If you see version 4.3.5 or any version in the 4.x series, your site is using outdated software and requires immediate attention
3 Check your installed plugins by going to Plugins > Installed Plugins and note which ones match the vulnerable plugins mentioned: Essential Real Estate, Simple Membership, CoolClock, Floating Social Media Icon, Popup Builder, and LearnPress

How to Fix These Vulnerabilities

1 Back up your entire website immediately using your hosting provider's backup tool or a WordPress backup plugin—this protects you if something goes wrong during updates
2 Update WordPress to the latest stable version by going to Dashboard > Updates and clicking 'Update Now' for WordPress core
3 Update or remove vulnerable plugins: go to Plugins > Installed Plugins and update each plugin to its latest version, or deactivate/delete plugins you're no longer using
4 Run a security scan using SiteRecipe.com to verify all vulnerabilities have been patched and check for any new threats your site may have been exposed to

Conclusion

WordPress 4.3.5 poses serious security risks to your website and visitor data. The 6 vulnerabilities we've discussed—including arbitrary file uploads and cross-site scripting attacks—are actively exploited by cybercriminals. Updating to the latest WordPress version and keeping all plugins current is not optional; it's essential for protecting your business and reputation.

Don't wait for an attack to happen. Use SiteRecipe.com's comprehensive security scanning tools to identify vulnerabilities across your entire WordPress installation in seconds. Our platform will show you exactly what needs to be fixed, prioritize threats by severity, and guide you through the update process. Secure your site today and gain peace of mind knowing your website and customer data are protected.

Frequently Asked Questions

Is WordPress 4.3.5 still supported by the WordPress team?

No. WordPress 4.3.5 reached end-of-life years ago and no longer receives security patches or updates. The WordPress team only supports the current version and a few recent versions before it. Using such an old version is dangerous and leaves your site vulnerable to known exploits.

Can I update WordPress without losing my content or settings?

Yes. WordPress updates are designed to preserve all your content, pages, posts, and settings. Always create a backup before updating, just as a safety precaution. Most updates take just a few minutes and happen automatically if you have automatic updates enabled.

What happens if hackers exploit these vulnerabilities?

Attackers could upload malicious files to take over your site, steal customer data or payment information, inject malware that spreads to your visitors' devices, or use your site to send spam. The consequences can be severe, including data breaches, legal liability, and loss of customer trust.

Why should I use SiteRecipe.com instead of checking vulnerabilities myself?

SiteRecipe.com automatically scans your entire WordPress installation against a constantly updated database of known vulnerabilities. It identifies issues you might miss, prioritizes threats by severity, and provides clear instructions for fixes. This saves time and ensures nothing dangerous slips through the cracks.

Generate white-label reports for your clients

Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.

Free scan Agency plans 📋 4 affected sites

DISCLAIMER: This report is based on publicly available CVE data from the National Vulnerability Database (NVD) maintained by NIST. Detection of a technology version does not confirm active exploitation on any specific website. For informational purposes only. SiteRecipe is not responsible for actions taken based on this report. Always consult a qualified security professional.

Source: nvd.nist.gov · Published: June 07, 2026 · SiteRecipe.com