    Home /
    Blog /
    wordpress 4.3.8
  

Security Advisory

WordPress 4.3.8 Vulnerabilities: 4 Critical Security Issues

    📅 June 07, 2026
    ·⏱ 5 min read
    ·🔒 SiteRecipe Security Team
  

⚠ 1 websites still running wordpress 4.3.8 → View full list

Total

Critical

Medium

WordPress 4.3.8, though an older version, still powers websites across the internet. However, recent security analysis has uncovered 4 significant vulnerabilities that put your site at serious risk. These flaws range from SQL injection attacks that can compromise your entire database to cross-site scripting (XSS) vulnerabilities that can steal visitor data and spread malware.

If you're running WordPress 4.3.8, you're potentially exposed to attacks from cybercriminals who actively exploit these known weaknesses. The good news is that identifying and fixing these issues is straightforward, and we'll walk you through every step in this comprehensive guide.

Staying ahead of security threats is essential for protecting your business, your users, and your reputation online. Let's explore what makes WordPress 4.3.8 vulnerable and how to secure your installation today.

What is Wordpress 4.3.8?

WordPress 4.3.8 is an older version of WordPress, the world's most popular content management system that powers over 40% of all websites. Released years ago, this version was once considered secure, but as web threats evolve, previously unknown vulnerabilities have been discovered. WordPress versions are identified by version numbers, and 4.3.8 refers to a specific release that many site owners still use, either due to compatibility concerns with older plugins or simple neglect of updates.

This particular version of WordPress operates the same way as modern versions—it allows you to create, edit, and manage website content without coding knowledge. However, older versions lack the security patches and improvements included in newer releases. Think of it like using an older car model; while it still runs, it doesn't have the modern safety features that protect you on today's roads. When vulnerabilities are discovered in older WordPress versions, cybercriminals specifically target sites running those versions because they know many website owners haven't updated yet.

Key Vulnerabilities in Wordpress 4.3.8

4 CVEs found. The most critical are explained below.

CRITICAL CVE-2022-0747 9.8/10 · CVSS v3.1 ⏱ Immediate

Infographic Maker Plugin - Hackers Can Access Your Database

The Infographic Maker plugin has a serious flaw that lets attackers send specially crafted requests to your website and manipulate your database directly. This doesn't require the attacker to have a login - they can do it anonymously from anywhere.

Impact: Attackers could steal sensitive data from your WordPress database including customer information, posts, and settings. They could also modify or delete your content entirely.

↗ View on NVD

MEDIUM CVE-2026-3875 6.4/10 · CVSS v3.1 ⏱ Within 7 days

BetterDocs Plugin - Malicious Code Can Be Stored on Your Site

The BetterDocs plugin doesn't properly filter user input in its feedback form shortcode. This means someone could inject malicious code that gets permanently saved to your website and runs whenever visitors view that page.

Impact: Attackers could inject code that steals visitor information, redirects users to malicious sites, or displays unwanted content to your audience. This damages your site's reputation and visitor trust.

↗ View on NVD

MEDIUM CVE-2023-6882 6.1/10 · CVSS v3.1 ⏱ Within 7 days

Simple Membership Plugin - Injected Code via URL Parameter

The Simple Membership plugin fails to properly clean a URL parameter called 'environment_mode'. An attacker can include malicious code in a link and when someone clicks it, the code runs in their browser.

Impact: Visitors who click a malicious link could have their sessions hijacked, passwords stolen, or be redirected to phishing sites. This affects your site's credibility and visitor security.

↗ View on NVD

MEDIUM CVE-2025-14948 5.3/10 · CVSS v3.1 ⏱ Within 7 days

WooCommerce OTP Plugin - Unauthorized Settings Changes

The miniOrange OTP plugin for WooCommerce doesn't properly check user permissions before allowing changes to SMS notification settings. This means attackers can modify important settings without needing admin access.

Impact: Attackers could disable security features, redirect SMS messages, or modify how your store sends notifications to customers, potentially disrupting your business operations.

↗ View on NVD

Is your website running Wordpress 4.3.8?

Scan your site in 30 seconds. Used by 500+ web agencies.

Scan my website — free 📋 See all 1 affected sites

How to Check If Your Website Is Affected

1 Log in to your WordPress admin dashboard and look at the bottom right corner where your WordPress version number is displayed, or navigate to Settings > General and check the WordPress Version field.
2 If you see version 4.3.8 listed, your site is vulnerable to the four identified security flaws. Write down this version number for reference.
3 Note which plugins you have installed by going to Plugins > Installed Plugins, as some of the vulnerabilities affect specific plugins like Infographic Maker, BetterDocs, Simple Membership, and miniOrange OTP Verification.

How to Fix These Vulnerabilities

1 Immediately back up your entire WordPress website using your hosting provider's backup tool or a backup plugin. This ensures you can restore your site if anything goes wrong during the update process.
2 Update WordPress to the latest stable version by going to Dashboard > Updates and clicking the 'Update Now' button. WordPress will handle the update automatically while maintaining your content and settings.
3 After updating WordPress, update all your plugins by navigating to Plugins > Installed Plugins and clicking 'Update Now' for each outdated plugin. Pay special attention to Infographic Maker, BetterDocs, Simple Membership, and miniOrange OTP Verification plugins.
4 Test your website thoroughly after all updates are complete by visiting key pages, checking that forms work correctly, and ensuring no functionality is broken. If you encounter any issues, restore from your backup and contact your hosting support team.

Conclusion

WordPress 4.3.8 contains critical security vulnerabilities that put your website, your visitors, and your business at risk. The SQL injection flaw in the Infographic Maker plugin and the XSS vulnerabilities in BetterDocs, Simple Membership, and miniOrange plugins can be exploited by attackers to steal data, inject malicious code, or take control of your site. Fortunately, updating to the latest WordPress version and patching your plugins takes only minutes and eliminates these threats.

Protecting your WordPress site shouldn't be complicated or time-consuming. SiteRecipe.com specializes in identifying security vulnerabilities, managing updates, and keeping your website secure and running smoothly. Whether you're unsure about updating yourself or want professional monitoring of your site's security, our team is ready to help. Visit SiteRecipe.com today for a free security audit and discover how we can protect your WordPress site from evolving threats.

Frequently Asked Questions

Is WordPress 4.3.8 still supported by WordPress.org?

No, WordPress 4.3.8 is no longer supported and doesn't receive security updates from WordPress.org. This means any newly discovered vulnerabilities won't be patched by the official WordPress team, leaving your site exposed to attack. Updating to a current WordPress version is essential for ongoing security support.

Will updating WordPress delete my posts and pages?

No, updating WordPress will not delete any of your content. WordPress updates only affect the core software files, not your posts, pages, comments, or media files. As long as you back up your site before updating, your content remains safe and intact.

What should I do if my plugins aren't compatible with the latest WordPress version?

First, check with the plugin developer to see if an updated version exists that supports the latest WordPress release. If a plugin is no longer maintained, consider finding a modern alternative that provides the same functionality. Continuing to use outdated, incompatible plugins poses both security and stability risks to your website.

How can I prevent vulnerabilities from affecting my site in the future?

Enable automatic WordPress updates in your admin dashboard, keep all plugins and themes updated, and regularly monitor your site's security status. Consider using a managed WordPress security service like SiteRecipe.com that provides continuous monitoring, automatic backups, and professional vulnerability scanning.

Generate white-label reports for your clients

Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.

Free scan Agency plans 📋 1 affected sites

DISCLAIMER: This report is based on publicly available CVE data from the National Vulnerability Database (NVD) maintained by NIST. Detection of a technology version does not confirm active exploitation on any specific website. For informational purposes only. SiteRecipe is not responsible for actions taken based on this report. Always consult a qualified security professional.

Source: nvd.nist.gov · Published: June 07, 2026 · SiteRecipe.com