WordPress 4.4.1 is an older version of the popular website platform that powers millions of sites worldwide. If you're still running this version, your website may be at serious risk from security vulnerabilities. Our security research has identified 19 known CVEs affecting WordPress 4.4.1, including 1 critical vulnerability and 3 high-severity flaws that could allow attackers to take control of your site or steal sensitive data.
This comprehensive guide will walk you through understanding these vulnerabilities, identifying if your site is affected, and implementing the necessary fixes to protect your WordPress installation. Whether you manage a small business website or a large ecommerce platform, staying informed about these security risks is essential to maintaining your online presence and protecting your users' information.
We've compiled the most important information from our security experts to help you quickly assess and remediate these vulnerabilities before they can be exploited.
WordPress 4.4.1 is a version of WordPress that was released several years ago. WordPress is the most popular website builder in the world, used by bloggers, businesses, and ecommerce stores to create and manage their online presence without needing extensive coding knowledge. This particular version includes the core WordPress platform along with various built-in features for creating pages, posts, and managing user accounts.
Even though WordPress 4.4.1 was functional when it was released, security vulnerabilities have been discovered over time both in the core software and in popular plugins that extend WordPress functionality. These vulnerabilities are documented as CVEs (Common Vulnerabilities and Exposures), which is the industry standard way of tracking and reporting security flaws. Running outdated versions of WordPress leaves your site exposed to these known attacks, making it a target for hackers looking for easy-to-exploit security gaps.
19 CVEs found. The most critical are explained below.
The CoDesigner plugin has a serious flaw that lets hackers inject malicious code through a hidden browser file called a cookie. This code runs on your server and gives attackers complete control. You need to update immediately if you use this plugin.
Impact: An attacker could steal your data, modify your website, access customer information, or lock you out of your own site entirely.
↗ View on NVDThe RH Real Estate theme doesn't properly check who can change user permissions. Someone could trick the system into giving themselves admin privileges without your permission. If you use this theme, you need to update or switch themes soon.
Impact: An attacker could create an admin account, access all your sensitive data, modify content, or take complete control of your website.
↗ View on NVDThe Redux Framework plugin allows anyone on the internet to upload files to your server without logging in. These files can contain harmful code that damages your site. Update this plugin as soon as possible.
Impact: Attackers could upload malicious files that infect your website, steal visitor data, or completely take over your site without needing to know any passwords.
↗ View on NVDThe AppPresser plugin doesn't properly clean up information before displaying it. Hackers can inject harmful code that runs when visitors view your site. This is stored permanently and affects all your users.
Impact: Visitors' browsers could be infected, their passwords stolen, they could be redirected to malicious sites, or your site's reputation could be damaged.
↗ View on NVDThe Simple File List plugin doesn't verify that actions are really coming from you. An attacker could trick your logged-in admin account into creating pages or changing content without your knowledge. Update this plugin soon.
Impact: Hackers could add malicious content to your website, create spam pages, or modify important information without you realizing it.
↗ View on NVDThe CoDesigner plugin's widgets don't properly clean harmful code before showing it on your site. An attacker can inject malicious code that runs in visitors' browsers when they view these widgets. Update this plugin immediately.
Impact: Visitors could have their information stolen, their browsers infected with malware, or be redirected to dangerous websites.
↗ View on NVDShowing first 10 of 13. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2025-13731 | MEDIUM | 6.4 | 2025-12-02 | The Nexter Extension – Site Enhancements Toolkit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'nxt-year' shortcode in all versions up to, and… |
| CVE-2025-9856 | MEDIUM | 6.4 | 2025-12-13 | The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sg_popup' short… |
| CVE-2016-1564 | MEDIUM | 6.1 | 2016-05-22 | Multiple cross-site scripting (XSS) vulnerabilities in wp-includes/class-wp-theme.php in WordPress before 4.4.1 allow remote attackers to inject arbitrary web script or HTML via a… |
| CVE-2022-3062 | MEDIUM | 6.1 | 2022-09-26 | The Simple File List WordPress plugin before 4.4.12 does not escape parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting |
| CVE-2023-7200 | MEDIUM | 6.1 | 2024-01-29 | The EventON WordPress plugin before 4.4.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could b… |
| CVE-2024-0957 | MEDIUM | 6.1 | 2024-03-22 | The WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Customer Notes field in a… |
| CVE-2023-3132 | MEDIUM | 5.9 | 2023-06-27 | The MainWP Child plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.4.1.1 due to insufficient controls on the storage of back… |
| CVE-2024-6544 | MEDIUM | 5.3 | 2024-09-13 | The Custom Post Limits plugin for WordPress is vulnerable to full path disclosure in all versions up to, and including, 4.4.1. This is due to the plugin utilizing bootstrap and le… |
| CVE-2022-3207 | MEDIUM | 4.8 | 2022-10-10 | The Simple File List WordPress plugin before 4.4.12 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross… |
| CVE-2024-10939 | MEDIUM | 4.8 | 2024-12-13 | The Image Widget WordPress plugin before 4.4.11 does not sanitise and escape some of its Image Widget settings, which could allow high privilege users such as admin to perform Sto… |
| CVE-2021-25102 | MEDIUM | 4.7 | 2022-05-02 | The All In One WP Security & Firewall WordPress plugin before 4.4.11 does not validate, sanitise and escape the redirect_to parameter before using it to redirect user, either via … |
| CVE-2024-1092 | MEDIUM | 4.3 | 2024-02-05 | The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to unauthorized data modification due to a miss… |
| CVE-2025-1666 | MEDIUM | 4.3 | 2025-03-06 | The Cookie banner plugin for WordPress – Cookiebot CMP by Usercentrics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 4.4.1 contains multiple serious security vulnerabilities that put your website and your users at risk. The critical PHP Object Injection flaw (CVE-2024-4371), combined with high-severity issues like privilege escalation and unauthorized file uploads, means that attackers actively target outdated WordPress installations. Taking immediate action to update your WordPress version and plugins is not just a best practice—it's essential to prevent data breaches, malware infections, and complete site takeovers.
Don't let your website become another victim of preventable security attacks. Visit SiteRecipe.com today to scan your WordPress installation for vulnerabilities, get detailed remediation guidance, and receive ongoing security monitoring to keep your site protected. Our expert security tools are designed to help website owners of all technical levels quickly identify and fix security issues before they become critical problems. Your website's security is too important to delay—start your free vulnerability assessment now.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.