WordPress 4.4 is an older version that poses significant security risks to your website. With 130 documented vulnerabilities—including 8 critical flaws—running this outdated software puts your data, users, and business at serious risk. Cybercriminals actively exploit these known weaknesses to steal information, inject malware, and take over websites.
If your website is still powered by WordPress 4.4, you're operating with a massive security liability. This guide will help you understand the threats, identify if you're vulnerable, and take immediate action to protect your site. Whether you manage a small blog or a large e-commerce platform, these vulnerabilities demand urgent attention.
The good news? With the right steps, you can secure your site and prevent costly breaches. Let's dive into what you need to know right now.
WordPress 4.4 is an older version of WordPress, the popular website-building platform used by millions of sites worldwide. Released in December 2015, WordPress 4.4 introduced features like improved responsive images and better customizer controls. However, because this version is nearly a decade old, it's no longer supported by WordPress developers with security updates.
When software stops receiving updates, hackers have unlimited time to find and exploit weaknesses without fear of patches being released. Think of it like leaving your front door unlocked while security cameras go offline—threats accumulate with each passing day. WordPress 4.4 has become a prime target for automated attacks that scan the internet for vulnerable older versions and exploit them at scale.
130 CVEs found. The most critical are explained below.
The Content Timeline plugin has a serious flaw that lets hackers send specially crafted requests to your website and directly access or modify your database. This bypasses normal security checks and gives attackers direct control over your site's data.
Impact: Attackers could steal customer data, user passwords, order information, or completely delete your website content. They could also modify your site to inject malware or redirect visitors to malicious sites.
↗ View on NVDThe PDF Embedder plugin can be tricked into accepting files that look like PDFs but are actually dangerous Java programs. When users interact with these files, the malicious code can execute on their computers.
Impact: Visitors to your site could have their computers infected with malware, ransomware, or spyware. This damages your site's reputation and could expose customer information.
↗ View on NVDThe WooCommerce Dropshipping plugin has a flaw in its payment processing system that allows unauthenticated attackers to run dangerous database commands. No login is required to exploit this vulnerability.
Impact: Hackers could steal customer payment information, order details, and personal data. They could also modify prices, create fake orders, or completely compromise your e-commerce store.
↗ View on NVDThe AI ChatBot plugin improperly processes data stored in browser cookies and can be manipulated to execute malicious code. Attackers can craft special cookie data that triggers unauthorized actions on your site.
Impact: Attackers could gain admin access to your WordPress dashboard, install backdoors for permanent access, steal sensitive data, or completely take over your website.
↗ View on NVDThe Essential Blocks plugin has a flaw in how it handles REST API requests that allows attackers to bypass normal access controls and access files on your server they shouldn't be able to reach.
Impact: Hackers could read sensitive configuration files containing database passwords, API keys, and other secrets. They could also potentially inject malicious code into your site.
↗ View on NVDThe AppPresser plugin doesn't properly verify password reset requests, allowing attackers to reset other users' passwords without proper validation. This creates a backdoor into any account.
Impact: Attackers could take over admin accounts and gain complete control of your website. They could modify content, steal data, install malware, or lock you out of your own site.
↗ View on NVDShowing first 10 of 124. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2024-13742 | CRITICAL | 9.8 | 2025-01-30 | The iControlWP – Multiple WordPress Site Manager plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.5 via deserialization of untr… |
| CVE-2024-4371 | CRITICAL | 9.0 | 2024-06-13 | The CoDesigner WooCommerce Builder for Elementor – Customize Checkout, Shop, Email, Products & More plugin for WordPress is vulnerable to PHP Object Injection in all versions up t… |
| CVE-2021-24462 | HIGH | 8.8 | 2021-08-02 | The get_gallery_categories() and get_galleries() functions in the Photo Gallery by Ays – Responsive Image Gallery WordPress plugin before 4.4.4 did not use whitelist or validate t… |
| CVE-2021-24864 | HIGH | 8.8 | 2022-02-28 | The WP Cloudy, weather plugin WordPress plugin before 4.4.9 does not escape the post_id parameter before using it in a SQL statement in the admin dashboard, leading to a SQL Injec… |
| CVE-2021-4337 | HIGH | 8.8 | 2023-06-07 | Sixteen XforWooCommerce Add-On Plugins for WordPress are vulnerable to authorization bypass due to a missing capability check on the wp_ajax_svx_ajax_factory function in various v… |
| CVE-2023-6140 | HIGH | 8.8 | 2024-01-08 | The Essential Real Estate WordPress plugin before 4.4.0 does not prevent users with limited privileges on the site, like subscribers, from momentarily uploading malicious PHP file… |
| CVE-2024-1317 | HIGH | 8.8 | 2024-02-29 | The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to SQL Injection via the ‘search_key’ parameter… |
| CVE-2025-4601 | HIGH | 8.8 | 2025-06-10 | The "RH - Real Estate WordPress Theme" theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 4.4.0. This is due to the theme not properly… |
| CVE-2025-13065 | HIGH | 8.8 | 2025-12-06 | The Starter Templates plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.4.41. This is due to insufficient file type validation de… |
| CVE-2020-11026 | HIGH | 8.7 | 2020-04-30 | In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an au… |
| CVE-2016-2222 | HIGH | 8.6 | 2016-05-22 | The wp_http_validate_url function in wp-includes/http.php in WordPress before 4.4.2 allows remote attackers to conduct server-side request forgery (SSRF) attacks via a zero value … |
| CVE-2024-2088 | HIGH | 8.5 | 2024-05-22 | The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.4.3 via the 'nxs_getExpSe… |
| CVE-2025-32306 | HIGH | 8.5 | 2025-05-16 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup Radio Player Shoutcast & Icecast WordPress Plugin audio4-html5 a… |
| CVE-2014-6412 | HIGH | 8.1 | 2018-04-12 | WordPress before 4.4 makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach. |
| CVE-2024-9305 | HIGH | 8.1 | 2024-10-16 | The AppPresser – Mobile App Framework plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.4.4. This is due to t… |
| CVE-2026-0726 | HIGH | 8.1 | 2026-01-20 | The Nexter Extension – Site Enhancements Toolkit plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.6 via deserialization of untr… |
| CVE-2023-38519 | HIGH | 7.6 | 2023-12-20 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in MainWP MainWP Dashboard – WordPress Manager for Multiple Websites Maintenance… |
| CVE-2024-31210 | HIGH | 7.6 | 2024-04-04 | WordPress is an open publishing platform for the Web. It's possible for a file of a type other than a zip file to be submitted as a new plugin by an administrative user on the Plu… |
| CVE-2026-2579 | HIGH | 7.5 | 2026-03-17 | The WowStore – Store Builder & Product Blocks for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the ‘search’ parameter in all versions up to, and including, … |
| CVE-2026-5100 | HIGH | 7.5 | 2026-05-05 | The AWP Classifieds plugin for WordPress is vulnerable to SQL Injection via the 'regions' parameter array keys in versions up to, and including, 4.4.5 due to insufficient escaping… |
| CVE-2016-2221 | HIGH | 7.4 | 2016-05-22 | Open redirect vulnerability in the wp_validate_redirect function in wp-includes/pluggable.php in WordPress before 4.4.2 allows remote attackers to redirect users to arbitrary web … |
| CVE-2024-2459 | HIGH | 7.4 | 2024-03-20 | The UX Flat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'button' shortcode in all versions up to, and including, 4.4 due to insufficient inp… |
| CVE-2018-5695 | HIGH | 7.2 | 2018-01-14 | The WpJobBoard plugin 4.4.4 for WordPress allows SQL injection via the order or sort parameter to the wpjb-job or wpjb-alerts module, with a request to wp-admin/admin.php. |
| CVE-2021-24786 | HIGH | 7.2 | 2022-01-03 | The Download Monitor WordPress plugin before 4.4.5 does not properly validate and escape the "orderby" GET parameter before using it in a SQL statement when viewing the logs, lead… |
| CVE-2024-5791 | HIGH | 7.2 | 2024-06-22 | The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wp_id' parameter in all versions up to, … |
| CVE-2024-6828 | HIGH | 7.2 | 2024-07-23 | The Redux Framework plugin for WordPress is vulnerable to unauthenticated JSON file uploads due to missing authorization and capability checks on the Redux_Color_Scheme_Import fun… |
| CVE-2025-1561 | HIGH | 7.2 | 2025-03-13 | The AppPresser – Mobile App Framework plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter in all versions up to, and including, 4.4.10 due … |
| CVE-2022-3154 | HIGH | 7.1 | 2022-10-10 | The Woo Billingo Plus WordPress plugin before 4.4.5.4, Integration for Billingo & Gravity Forms WordPress plugin before 1.0.4, Integration for Szamlazz.hu & Gravity Forms WordPres… |
| CVE-2024-37262 | HIGH | 7.1 | 2024-07-22 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in vCita.Com Online Booking & Scheduling Calendar for WordPress by vcita … |
| CVE-2024-47638 | HIGH | 7.1 | 2024-10-05 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-sch… |
| CVE-2025-69367 | HIGH | 7.1 | 2026-02-20 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GT3themes Oyster - Photography WordPress Theme oyster allows DOM-Based XSS.Th… |
| CVE-2020-4047 | MEDIUM | 6.8 | 2020-06-12 | In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way.… |
| CVE-2021-31567 | MEDIUM | 6.8 | 2022-01-28 | Authenticated (admin+) Arbitrary File Download vulnerability discovered in Download Monitor WordPress plugin (versions <= 4.4.6). The plugin allows arbitrary files, including sens… |
| CVE-2022-2638 | MEDIUM | 6.5 | 2022-08-29 | The Export All URLs WordPress plugin before 4.4 does not validate the path of the file to be removed on the system which is supposed to be the CSV file. This could allow high priv… |
| CVE-2022-3208 | MEDIUM | 6.5 | 2022-10-10 | The Simple File List WordPress plugin before 4.4.12 does not implement nonce checks, which could allow attackers to make a logged in admin create new page and change it's content … |
| CVE-2023-6139 | MEDIUM | 6.5 | 2024-01-08 | The Essential Real Estate WordPress plugin before 4.4.0 does not apply proper capability checks on its AJAX actions, which among other things, allow attackers with a subscriber ac… |
| CVE-2024-1318 | MEDIUM | 6.5 | 2024-02-29 | The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to unauthorized modification of data due to a m… |
| CVE-2024-35761 | MEDIUM | 6.5 | 2024-06-21 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in vCita Online Booking & Scheduling Calendar for WordPress by vcita allo… |
| CVE-2024-37499 | MEDIUM | 6.5 | 2024-07-09 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vCita Online Booking & Scheduling Calendar for WordPress by vcita allows Path Trave… |
| CVE-2020-11030 | MEDIUM | 6.4 | 2020-04-30 | In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authent… |
| CVE-2023-4842 | MEDIUM | 6.4 | 2023-11-07 | The Social Sharing Plugin - Social Warfare plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'social_warfare' shortcode in versions up to, and including, 4.4.3… |
| CVE-2023-7071 | MEDIUM | 6.4 | 2024-01-11 | The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Table of Contents block in all… |
| CVE-2024-2031 | MEDIUM | 6.4 | 2024-03-12 | The Video Conferencing with Zoom plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'zoom_recordings_by_meeting' shortcode in all versions up to, a… |
| CVE-2023-6805 | MEDIUM | 6.4 | 2024-04-17 | The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all ver… |
| CVE-2024-1959 | MEDIUM | 6.4 | 2024-05-02 | The Social Sharing Plugin – Social Warfare plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'socialWarfare' shortcode in all versions up to, and … |
| CVE-2024-4383 | MEDIUM | 6.4 | 2024-05-14 | The Simple Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'swpm_paypal_subscription_cancel_link' shortcode in all versions up to, an… |
| CVE-2024-4273 | MEDIUM | 6.4 | 2024-06-04 | The Essential Real Estate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ere_property_map' shortcode in all versions up to, and including, 4.4… |
| CVE-2024-4564 | MEDIUM | 6.4 | 2024-06-12 | The CoDesigner WooCommerce Builder for Elementor – Customize Checkout, Shop, Email, Products & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugi… |
| CVE-2024-5945 | MEDIUM | 6.4 | 2024-06-21 | The WP SVG Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘type’ parameter in all versions up to, and including, 4.3 due to insufficient input sa… |
| CVE-2024-9165 | MEDIUM | 6.4 | 2024-10-31 | The Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, a… |
| CVE-2025-5568 | MEDIUM | 6.4 | 2025-06-07 | The WpEvently plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in all versions up to, and including, 4.4.2 due to insufficient input sanit… |
| CVE-2025-13731 | MEDIUM | 6.4 | 2025-12-02 | The Nexter Extension – Site Enhancements Toolkit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'nxt-year' shortcode in all versions up to, and… |
| CVE-2025-9856 | MEDIUM | 6.4 | 2025-12-13 | The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sg_popup' short… |
| CVE-2025-13367 | MEDIUM | 6.4 | 2025-12-15 | The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin for WordPress is vulnerable to Stor… |
| CVE-2026-3228 | MEDIUM | 6.4 | 2026-03-10 | The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[nxs_fbembed]` shortcode in all versions up to, and includi… |
| CVE-2026-0868 | MEDIUM | 6.4 | 2026-04-19 | The EMC – Easily Embed Calendly Scheduling Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's calendly shortcode in all versions up to, an… |
| CVE-2016-1564 | MEDIUM | 6.1 | 2016-05-22 | Multiple cross-site scripting (XSS) vulnerabilities in wp-includes/class-wp-theme.php in WordPress before 4.4.1 allow remote attackers to inject arbitrary web script or HTML via a… |
| CVE-2020-11027 | MEDIUM | 6.1 | 2020-04-30 | In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password. Access would be needed to the email account of the user… |
| CVE-2020-29171 | MEDIUM | 6.1 | 2021-02-10 | Cross-site scripting (XSS) vulnerability in admin/wp-security-blacklist-menu.php in the Tips and Tricks HQ All In One WP Security & Firewall (all-in-one-wp-security-and-firewall) … |
| CVE-2021-24560 | MEDIUM | 6.1 | 2021-09-13 | The Software License Manager WordPress plugin before 4.4.8 does not sanitise or escape the edit_record parameter before outputting it back in the page in the admin dashboard, lead… |
| CVE-2021-24964 | MEDIUM | 6.1 | 2022-01-03 | The LiteSpeed Cache WordPress plugin before 4.4.4 does not properly verify that requests are coming from QUIC.cloud servers, allowing attackers to make requests to certain endpoin… |
| CVE-2022-3062 | MEDIUM | 6.1 | 2022-09-26 | The Simple File List WordPress plugin before 4.4.12 does not escape parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting |
| CVE-2023-1011 | MEDIUM | 6.1 | 2023-05-08 | The AI ChatBot WordPress plugin before 4.4.5 does not escape most of its settings before outputting them back in the dashboard, and does not have a proper CSRF check, allowing att… |
| CVE-2023-1660 | MEDIUM | 6.1 | 2023-05-08 | The AI ChatBot WordPress plugin before 4.4.9 does not have authorisation and CSRF in a function hooked to init, allowing unauthenticated users to update some settings, leading to … |
| CVE-2023-7200 | MEDIUM | 6.1 | 2024-01-29 | The EventON WordPress plugin before 4.4.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could b… |
| CVE-2024-0957 | MEDIUM | 6.1 | 2024-03-22 | The WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Customer Notes field in a… |
| CVE-2024-1762 | MEDIUM | 6.1 | 2024-05-22 | The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the HTTP_USER_AGENT header in all versions up to, and including,… |
| CVE-2024-5859 | MEDIUM | 6.1 | 2024-06-21 | The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘d’ parameter in all versions up to, a… |
| CVE-2023-3132 | MEDIUM | 5.9 | 2023-06-27 | The MainWP Child plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.4.1.1 due to insufficient controls on the storage of back… |
| CVE-2024-13641 | MEDIUM | 5.9 | 2025-02-14 | The Return Refund and Exchange For WooCommerce – Return Management System, RMA Exchange, Wallet And Cancel Order Features plugin for WordPress is vulnerable to Sensitive Informati… |
| CVE-2020-11025 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires … |
| CVE-2020-11028 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been pat… |
| CVE-2020-11029 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been… |
| CVE-2020-4048 | MEDIUM | 5.7 | 2020-06-12 | In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect wh… |
| CVE-2020-4046 | MEDIUM | 5.4 | 2020-06-12 | In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor… |
| CVE-2021-24334 | MEDIUM | 5.4 | 2021-06-01 | The Instant Images – One Click Unsplash Uploads WordPress plugin before 4.4.0.1 did not properly validate and sanitise its unsplash_download_w and unsplash_download_h parameter se… |
| CVE-2022-30337 | MEDIUM | 5.4 | 2022-07-21 | Cross-Site Request Forgery (CSRF) vulnerability in JoomUnited WP Meta SEO plugin <= 4.4.8 at WordPress allows an attacker to update the social settings. |
| CVE-2022-4545 | MEDIUM | 5.4 | 2023-01-23 | The Sitemap WordPress plugin before 4.4 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role … |
| CVE-2023-0062 | MEDIUM | 5.4 | 2023-02-06 | The EAN for WooCommerce WordPress plugin before 4.4.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode … |
| CVE-2023-1651 | MEDIUM | 5.4 | 2023-05-08 | The AI ChatBot WordPress plugin before 4.4.9 does not have authorisation and CSRF in the AJAX action responsible to update the OpenAI settings, allowing any authenticated users, s… |
| CVE-2023-2414 | MEDIUM | 5.4 | 2023-06-09 | The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vc… |
| CVE-2023-6141 | MEDIUM | 5.4 | 2024-01-08 | The Essential Real Estate WordPress plugin before 4.4.0 does not apply proper capability checks on its AJAX actions, which among other things, allow attackers with a subscriber ac… |
| CVE-2024-3730 | MEDIUM | 5.4 | 2024-04-25 | The Simple Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'swpm_paypal_subscription_cancel_link' shortcode in all versions up to, an… |
| CVE-2024-1446 | MEDIUM | 5.4 | 2024-05-22 | The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.4.3. This is due to missing o… |
| CVE-2024-13692 | MEDIUM | 5.4 | 2025-02-14 | The Return Refund and Exchange For WooCommerce – Return Management System, RMA Exchange, Wallet And Cancel Order Features plugin for WordPress is vulnerable to Insecure Direct Obj… |
| CVE-2025-14976 | MEDIUM | 5.4 | 2026-01-10 | The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable … |
| CVE-2023-2299 | MEDIUM | 5.3 | 2023-06-03 | The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized medication of data via the /wp-json/vcita-wordpress/v1/actions/a… |
| CVE-2024-3216 | MEDIUM | 5.3 | 2024-04-06 | The WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability… |
| CVE-2024-6544 | MEDIUM | 5.3 | 2024-09-13 | The Custom Post Limits plugin for WordPress is vulnerable to full path disclosure in all versions up to, and including, 4.4.1. This is due to the plugin utilizing bootstrap and le… |
| CVE-2024-13520 | MEDIUM | 5.3 | 2025-02-20 | The Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported) plugin for WordPress is vulnerable to unauthorized modification of data|loss of data due to a missing capabilit… |
| CVE-2025-1404 | MEDIUM | 5.3 | 2025-03-01 | The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ays_sccp_reports_… |
| CVE-2025-13079 | MEDIUM | 5.3 | 2026-02-19 | The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.… |
| CVE-2024-32111 | MEDIUM | 5.0 | 2024-06-25 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Automattic WordPress allows Relative Path Traversal.This issue affects WordPress: f… |
| CVE-2025-10142 | MEDIUM | 4.9 | 2025-09-10 | The PagBank / PagSeguro Connect para WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'status' parameter in all versions up to, and including, 4.44.3 due to… |
| CVE-2021-24681 | MEDIUM | 4.8 | 2021-10-11 | The Duplicate Page WordPress plugin through 4.4.2 does not sanitise or escape the Duplicate Post Suffix settings before outputting it, which could allow high privilege users to pe… |
| CVE-2021-24841 | MEDIUM | 4.8 | 2021-11-17 | The Helpful WordPress plugin before 4.4.59 does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even w… |
| CVE-2021-24963 | MEDIUM | 4.8 | 2022-01-03 | The LiteSpeed Cache WordPress plugin before 4.4.4 does not escape the qc_res parameter before outputting it back in the JS code of an admin page, leading to a Reflected Cross-Site… |
| CVE-2021-36920 | MEDIUM | 4.8 | 2022-01-14 | Authenticated Reflected Cross-Site Scripting (XSS) vulnerability discovered in WordPress plugin Download Monitor (versions <= 4.4.6). |
| CVE-2022-1093 | MEDIUM | 4.8 | 2022-05-23 | The WP Meta SEO WordPress plugin before 4.4.7 does not sanitise or escape the breadcrumb separator before outputting it to the page, allowing a high privilege user such as an admi… |
| CVE-2022-3207 | MEDIUM | 4.8 | 2022-10-10 | The Simple File List WordPress plugin before 4.4.12 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross… |
| CVE-2024-10939 | MEDIUM | 4.8 | 2024-12-13 | The Image Widget WordPress plugin before 4.4.11 does not sanitise and escape some of its Image Widget settings, which could allow high privilege users such as admin to perform Sto… |
| CVE-2024-9236 | MEDIUM | 4.8 | 2025-05-15 | The Team WordPress plugin before 4.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Script… |
| CVE-2026-2721 | MEDIUM | 4.8 | 2026-03-07 | The MailArchiver plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.4.0 due to insufficient input sanitiz… |
| CVE-2021-25102 | MEDIUM | 4.7 | 2022-05-02 | The All In One WP Security & Firewall WordPress plugin before 4.4.11 does not validate, sanitise and escape the redirect_to parameter before using it to redirect user, either via … |
| CVE-2024-1985 | MEDIUM | 4.7 | 2024-03-13 | The Simple Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Display Name' parameter in all versions up to, and including, 4.4.2 due to insuffi… |
| CVE-2024-2967 | MEDIUM | 4.4 | 2024-05-02 | The Guest posting / Frontend Posting wordpress plugin – WP Front User Submit / Front Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form settings in … |
| CVE-2011-3854 | MEDIUM | 4.3 | 2011-09-28 | Cross-site scripting (XSS) vulnerability in the ZenLite theme before 4.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter. |
| CVE-2014-8955 | MEDIUM | 4.3 | 2014-11-17 | Cross-site scripting (XSS) vulnerability in the Contact Form Clean and Simple (clean-and-simple-contact-form-by-meg-nicholas) plugin 4.4.0 and earlier for WordPress allows remote … |
| CVE-2021-4389 | MEDIUM | 4.3 | 2023-07-01 | The WP Travel plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.4.6. This is due to missing or incorrect nonce validation on the… |
| CVE-2023-39999 | MEDIUM | 4.3 | 2023-10-13 | Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 thr… |
| CVE-2024-1092 | MEDIUM | 4.3 | 2024-02-05 | The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to unauthorized data modification due to a miss… |
| CVE-2024-24837 | MEDIUM | 4.3 | 2024-02-21 | Cross-Site Request Forgery (CSRF) vulnerability in Frédéric GILLES FG PrestaShop to WooCommerce, Frédéric GILLES FG Drupal to WordPress, Frédéric GILLES FG Joomla to WordPress.Thi… |
| CVE-2023-4627 | MEDIUM | 4.3 | 2024-03-12 | The LadiApp plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_config() function in versions up to, and includin… |
| CVE-2023-4628 | MEDIUM | 4.3 | 2024-03-12 | The LadiApp plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the ladiflow_save_hook() function in versions up to, and including, 4.… |
| CVE-2023-4728 | MEDIUM | 4.3 | 2024-03-12 | The LadiApp plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the publish_lp() function hooked via an AJAX action in ver… |
| CVE-2023-4729 | MEDIUM | 4.3 | 2024-03-12 | The LadiApp plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the publish_lp() function hooked via an AJAX action in versions up to,… |
| CVE-2023-4731 | MEDIUM | 4.3 | 2024-03-12 | The LadiApp plugn for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the init_endpoint() function hooked via 'init' in versions up to, and i… |
| CVE-2024-2033 | MEDIUM | 4.3 | 2024-04-09 | The Video Conferencing with Zoom plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.4.5 via the get_assign_host_id AJAX a… |
| CVE-2024-4274 | MEDIUM | 4.3 | 2024-06-04 | The Essential Real Estate plugin for WordPress is vulnerable to unauthorized loss of data due to insufficient validation on the remove_property_attachment_ajax() function in all v… |
| CVE-2024-13439 | MEDIUM | 4.3 | 2025-02-15 | The Team – Team Members Showcase Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the response() function in all versions up t… |
| CVE-2025-1666 | MEDIUM | 4.3 | 2025-03-06 | The Cookie banner plugin for WordPress – Cookiebot CMP by Usercentrics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on… |
| CVE-2020-4050 | LOW | 3.5 | 2020-06-12 | In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plu… |
| CVE-2021-23174 | LOW | 3.4 | 2022-01-28 | Authenticated (admin+) Persistent Cross-Site Scripting (XSS) vulnerability discovered in Download Monitor WordPress plugin (versions <= 4.4.6) Vulnerable parameters: &post_title, … |
| CVE-2020-4049 | LOW | 2.4 | 2020-06-12 | In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes p… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
Running WordPress 4.4 is gambling with your website's security. The 130 vulnerabilities—particularly the 8 critical flaws involving SQL injection, privilege escalation, and unauthorized file access—create multiple pathways for hackers to compromise your site. Each day you delay is another day attackers can exploit these known weaknesses to steal customer data, inject malware, or hold your site for ransom.
Don't let your website become another statistics. Upgrade immediately and stay protected going forward. SiteRecipe.com makes security management effortless with automated vulnerability scanning, one-click security recommendations, and ongoing monitoring that alerts you to threats before they strike. Start your free security scan today and discover exactly what risks your site faces—because protecting your online presence shouldn't require a cybersecurity degree.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.