WordPress 4.5, released in 2016, is now considered a significant security risk with 156 documented vulnerabilities discovered across multiple plugins and themes. If your website is still running this outdated version, you're exposing your business to serious threats including remote code execution, arbitrary file uploads, and unauthorized access. This comprehensive guide will help you identify if you're vulnerable and take immediate action to protect your site.
The severity of these vulnerabilities cannot be overstated. Six critical-level CVEs affect popular plugins like Nelio A/B Testing, Divi Builder, GEO my WP, and OMGF, allowing attackers to execute malicious code, upload dangerous files, and compromise your entire WordPress installation. Even if you're not directly using these plugins, your server and data are at risk if WordPress 4.5 remains unpatched.
WordPress 4.5 was released in April 2016 and marked a significant milestone for the platform with the introduction of the REST API and improved mobile editing capabilities. However, the version has long since passed its support lifecycle, meaning WordPress developers no longer release security patches or updates for it. This makes WordPress 4.5 an increasingly dangerous choice for website owners who rely on the platform for their online presence.
Thinking of WordPress versions like software on your computer: just as Windows or macOS require regular updates to stay secure, WordPress versions need continuous patches to protect against newly discovered threats. WordPress 4.5 is essentially running without security updates, making it vulnerable to every new attack discovered since 2016. Whether you're running a personal blog or a business website, staying on WordPress 4.5 puts your entire digital presence at risk.
156 CVEs found. The most critical are explained below.
The Nelio A/B Testing plugin before version 4.5.9 has a security flaw that allows attackers to make your server request files from other websites or internal systems. This happens through a feature in the plugin's code that doesn't properly validate where requests are being sent.
Impact: An attacker could use your website's server to access sensitive information, attack other websites, or bypass security measures. This could damage your website's reputation and potentially expose private data.
↗ View on NVDSimilar to CVE-2016-10926, the Nelio A/B Testing plugin before version 4.5.11 contains the same server-based attack flaw. Even though version 4.5.9 was patched, a newer update to 4.5.11 is required for complete protection.
Impact: Your server could be misused to attack other systems or retrieve unauthorized information. This puts your website at risk of legal liability and loss of customer trust.
↗ View on NVDThe Divi Builder plugin before version 4.5.3 allows authorized users (like content editors) to upload dangerous files like executable PHP scripts instead of just images or documents. The safety check only exists on your browser, not on the server where it matters.
Impact: A compromised or malicious team member could upload code that takes over your entire website, steals customer data, or turns your site into a malware distribution point.
↗ View on NVDThe GEO my WP plugin before version 4.5.0.2 fails to block unauthorized users from including and running malicious code through file manipulation. Anyone, even without a website account, can trigger this vulnerability.
Impact: Attackers can execute arbitrary code on your server, giving them complete control over your website, customer data, and server resources. This is one of the most severe types of attacks possible.
↗ View on NVDThe OMGF plugin before version 4.5.4 doesn't properly secure its file handling, allowing unauthenticated attackers to manipulate file paths and overwrite your CSS files or download Google Fonts. This happens because user input isn't validated.
Impact: Attackers could deface your website's appearance, redirect visitors to malicious sites, or access files they shouldn't have. This could damage user trust and lead to further security breaches.
↗ View on NVDThe vcita Online Booking plugin through version 4.5.3 allows attackers to upload malicious files without proper restrictions. There's no adequate check to prevent uploading executable or dangerous file types.
Impact: Attackers could upload malware, ransomware, or other harmful files that compromise your website and endanger your customers' information and devices.
↗ View on NVDShowing first 10 of 150. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2016-6635 | HIGH | 8.8 | 2016-08-07 | Cross-site request forgery (CSRF) vulnerability in the wp_ajax_wp_compression_test function in wp-admin/includes/ajax-actions.php in WordPress before 4.5 allows remote attackers t… |
| CVE-2021-24711 | HIGH | 8.8 | 2021-10-11 | The del_reistered_domains AJAX action of the Software License Manager WordPress plugin before 4.5.1 does not have any CSRF checks, and is vulnerable to a CSRF attack |
| CVE-2021-39317 | HIGH | 8.8 | 2021-10-11 | A WordPress plugin and several WordPress themes developed by AccessPress Themes are vulnerable to malicious file uploads via the plugin_offline_installer AJAX action due to a miss… |
| CVE-2021-24631 | HIGH | 8.8 | 2021-11-08 | The Unlimited PopUps WordPress plugin through 4.5.3 does not sanitise or escape the did GET parameter before using it in a SQL statement, available to users as low as editor, lead… |
| CVE-2023-0875 | HIGH | 8.8 | 2023-03-20 | The WP Meta SEO WordPress plugin before 4.5.3 does not properly sanitize and escape inputs into SQL queries, leading to a blind SQL Injection vulnerability that can be exploited b… |
| CVE-2023-1381 | HIGH | 8.8 | 2023-04-10 | The WP Meta SEO WordPress plugin before 4.5.5 does not validate image file paths before attempting to manipulate the image files, leading to a PHAR deserialization vulnerability. … |
| CVE-2025-12028 | HIGH | 8.8 | 2025-10-24 | The IndieAuth plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.4. This is due to missing nonce verification on the `login… |
| CVE-2025-12966 | HIGH | 8.8 | 2025-12-06 | The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the resolve_import_directory() function in version… |
| CVE-2025-12957 | HIGH | 8.8 | 2026-01-16 | The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.5.7. This is due to insufficient file type validat… |
| CVE-2020-11026 | HIGH | 8.7 | 2020-04-30 | In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an au… |
| CVE-2016-4029 | HIGH | 8.6 | 2016-08-07 | WordPress before 4.5 does not consider octal and hexadecimal IP address formats when determining an intranet address, which allows remote attackers to bypass an intended SSRF prot… |
| CVE-2021-24639 | HIGH | 8.1 | 2021-09-20 | The OMGF WordPress plugin before 4.5.4 does not enforce path validation, authorisation and CSRF checks in the omgf_ajax_empty_dir AJAX action, which allows any authenticated users… |
| CVE-2025-53243 | HIGH | 8.1 | 2025-08-28 | Deserialization of Untrusted Data vulnerability in emarket-design Employee Directory – Staff Listing & Team Directory Plugin for WordPress employee-directory allows Object Injecti… |
| CVE-2026-7252 | HIGH | 8.1 | 2026-05-07 | The WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance plugin for WordPress is vulnerable to arbitrary file deletion due to insufficie… |
| CVE-2024-31210 | HIGH | 7.6 | 2024-04-04 | WordPress is an open publishing platform for the Web. It's possible for a file of a type other than a zip file to be submitted as a new plugin by an administrative user on the Plu… |
| CVE-2016-5832 | HIGH | 7.5 | 2016-06-29 | The customizer in WordPress before 4.5.3 allows remote attackers to bypass intended redirection restrictions via unspecified vectors. |
| CVE-2016-5835 | HIGH | 7.5 | 2016-06-29 | WordPress before 4.5.3 allows remote attackers to obtain sensitive revision-history information by leveraging the ability to read a post, related to wp-admin/includes/ajax-actions… |
| CVE-2016-5836 | HIGH | 7.5 | 2016-06-29 | The oEmbed protocol implementation in WordPress before 4.5.3 allows remote attackers to cause a denial of service via unspecified vectors. |
| CVE-2016-5837 | HIGH | 7.5 | 2016-06-29 | WordPress before 4.5.3 allows remote attackers to bypass intended access restrictions and remove a category attribute from a post via unspecified vectors. |
| CVE-2016-5838 | HIGH | 7.5 | 2016-06-29 | WordPress before 4.5.3 allows remote attackers to bypass intended password-change restrictions by leveraging knowledge of a cookie. |
| CVE-2016-5839 | HIGH | 7.5 | 2016-06-29 | WordPress before 4.5.3 allows remote attackers to bypass the sanitize_file_name protection mechanism via unspecified vectors. |
| CVE-2023-6114 | HIGH | 7.5 | 2023-12-26 | The Duplicator WordPress plugin before 1.5.7.1, Duplicator Pro WordPress plugin before 4.5.14.2 does not disallow listing the `backups-dup-lite/tmp` directory (or the `backups-dup… |
| CVE-2024-13475 | HIGH | 7.5 | 2025-02-12 | The Small Package Quotes – UPS Edition plugin for WordPress is vulnerable to SQL Injection via the 'edit_id' parameter in all versions up to, and including, 4.5.16 due to insuffic… |
| CVE-2026-9757 | HIGH | 7.5 | 2026-05-30 | The GEO my WP plugin for WordPress is vulnerable to SQL Injection via the 'swlatlng' and 'nelatlng' parameters in all versions up to, and including, 4.5.5 The parameters are read … |
| CVE-2023-6961 | HIGH | 7.2 | 2024-05-02 | The WP Meta SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Referer’ header in all versions up to, and including, 4.5.12 due to insufficient input s… |
| CVE-2016-6896 | HIGH | 7.1 | 2017-01-18 | Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress 4.5.3 allows remote authenticated users to cause a denia… |
| CVE-2024-47327 | HIGH | 7.1 | 2024-10-06 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eyal Fitoussi GEO my WordPress geo-my-wp allows Reflected XSS.This issue affe… |
| CVE-2014-4717 | MEDIUM | 6.8 | 2014-07-03 | Multiple cross-site request forgery (CSRF) vulnerabilities in the Simple Share Buttons Adder plugin before 4.5 for WordPress allow remote attackers to hijack the authentication of… |
| CVE-2020-4047 | MEDIUM | 6.8 | 2020-06-12 | In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way.… |
| CVE-2024-9422 | MEDIUM | 6.6 | 2024-11-22 | The GEO my WP WordPress plugin before 4.5, gmw-premium-settings WordPress plugin before 3.1 does not sufficiently validate files to be uploaded, which could allow attackers to upl… |
| CVE-2016-10977 | MEDIUM | 6.5 | 2019-09-17 | The nelio-ab-testing plugin before 4.5.0 for WordPress has filename=..%2f directory traversal. |
| CVE-2021-24244 | MEDIUM | 6.5 | 2021-05-06 | An AJAX action registered by the WPBakery Page Builder (Visual Composer) Clipboard WordPress plugin before 4.5.8 did not have capability checks, allowing low privilege users, such… |
| CVE-2022-1551 | MEDIUM | 6.5 | 2022-07-25 | The SP Project & Document Manager WordPress plugin before 4.58 uses an easily guessable path to store user files, bad actors could use that to access other users' sensitive files. |
| CVE-2023-6158 | MEDIUM | 6.5 | 2024-01-10 | The EventON - WordPress Virtual Event Calendar Plugin plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on… |
| CVE-2023-6242 | MEDIUM | 6.5 | 2024-01-11 | The EventON - WordPress Virtual Event Calendar Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.4 (for Pro) & 2.2.… |
| CVE-2023-6244 | MEDIUM | 6.5 | 2024-01-11 | The EventON - WordPress Virtual Event Calendar Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.4 (Pro) & 2.2.8 (F… |
| CVE-2024-1860 | MEDIUM | 6.5 | 2024-02-28 | The Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan plugin for WordPress is vulnerable to unauthorized modification of data due to a mis… |
| CVE-2021-4445 | MEDIUM | 6.5 | 2024-10-16 | The Premium Addons for Elementor plugin for WordPress is vulnerable to Arbitrary Option Updates in versions up to, and including, 4.5.1. This is due to missing capability and nonc… |
| CVE-2024-54326 | MEDIUM | 6.5 | 2024-12-13 | Missing Authorization vulnerability in Eyal Fitoussi GEO my WordPress geo-my-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GEO my W… |
| CVE-2025-54676 | MEDIUM | 6.5 | 2025-08-14 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-sch… |
| CVE-2020-11030 | MEDIUM | 6.4 | 2020-04-30 | In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authent… |
| CVE-2023-6561 | MEDIUM | 6.4 | 2024-01-11 | The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the featured image alt text in all versions up to, and including, 4.5.3 du… |
| CVE-2024-1854 | MEDIUM | 6.4 | 2024-03-13 | The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the blockId parameter in all versi… |
| CVE-2024-2255 | MEDIUM | 6.4 | 2024-03-20 | The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versio… |
| CVE-2024-4891 | MEDIUM | 6.4 | 2024-05-18 | The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘tagName’ parameter in version… |
| CVE-2024-8547 | MEDIUM | 6.4 | 2024-09-28 | The Simple Popup Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [popup] shortcode in all versions up to, and including, 4.5 due to insuf… |
| CVE-2024-12444 | MEDIUM | 6.4 | 2025-01-30 | The WP Dispensary plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpd_menu' shortcode in all versions up to, and including, 4.5.0 due to insuff… |
| CVE-2025-1489 | MEDIUM | 6.4 | 2025-02-21 | The WP-Appbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's appbox shortcode in all versions up to, and including, 4.5.4 due to insufficient i… |
| CVE-2025-4611 | MEDIUM | 6.4 | 2025-05-21 | The Slim SEO – Fast & Automated WordPress SEO Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's slim_seo_breadcrumbs shortcode in all versi… |
| CVE-2025-5531 | MEDIUM | 6.4 | 2025-06-04 | The Employee Directory – Staff Listing & Team Directory Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'emd_mb_meta' short… |
| CVE-2025-5238 | MEDIUM | 6.4 | 2025-06-14 | The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 4.5.0 due to insuffici… |
| CVE-2025-8295 | MEDIUM | 6.4 | 2025-08-05 | The Employee Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘noaccess_msg’ parameter in all versions up to, and including, 4.5.1 due to insuff… |
| CVE-2025-8567 | MEDIUM | 6.4 | 2025-08-19 | The Nexter Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 4.5.4 due to insufficient input sani… |
| CVE-2025-9488 | MEDIUM | 6.4 | 2025-12-13 | The Redux Framework plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data’ parameter in all versions up to, and including, 4.5.8 due to insufficient inpu… |
| CVE-2026-7796 | MEDIUM | 6.4 | 2026-06-06 | The EmbedPress – PDF Embedder, Embed PDF viewer, YouTube Videos, 3D FlipBook, Social feeds & more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the block '… |
| CVE-2016-4566 | MEDIUM | 6.1 | 2016-05-22 | Cross-site scripting (XSS) vulnerability in plupload.flash.swf in Plupload before 2.1.9, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script … |
| CVE-2016-4567 | MEDIUM | 6.1 | 2016-05-22 | Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbit… |
| CVE-2016-5833 | MEDIUM | 6.1 | 2016-06-29 | Cross-site scripting (XSS) vulnerability in the column_title function in wp-admin/includes/class-wp-media-list-table.php in WordPress before 4.5.3 allows remote attackers to injec… |
| CVE-2016-5834 | MEDIUM | 6.1 | 2016-06-29 | Cross-site scripting (XSS) vulnerability in the wp_get_attachment_link function in wp-includes/post-template.php in WordPress before 4.5.3 allows remote attackers to inject arbitr… |
| CVE-2016-6634 | MEDIUM | 6.1 | 2016-08-07 | Cross-site scripting (XSS) vulnerability in the network settings page in WordPress before 4.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vector… |
| CVE-2015-9349 | MEDIUM | 6.1 | 2019-08-27 | The ckeditor-for-wordpress plugin before 4.5.3.1 for WordPress has reflected XSS in the "built-in (old)" file browser. |
| CVE-2020-11027 | MEDIUM | 6.1 | 2020-04-30 | In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password. Access would be needed to the email account of the user… |
| CVE-2020-12696 | MEDIUM | 6.1 | 2020-05-07 | The iframe plugin before 4.5 for WordPress does not sanitize a URL. |
| CVE-2022-1170 | MEDIUM | 6.1 | 2022-04-04 | In the Noo JobMonster WordPress theme before 4.5.2.9 JobMonster there is a XSS vulnerability as the input for the search form is provided through unsanitized GET requests. |
| CVE-2022-34857 | MEDIUM | 6.1 | 2022-08-22 | Reflected Cross-Site Scripting (XSS) vulnerability in smartypants SP Project & Document Manager plugin <= 4.59 at WordPress |
| CVE-2023-0876 | MEDIUM | 6.1 | 2023-03-20 | The WP Meta SEO WordPress plugin before 4.5.3 does not authorize several ajax actions, allowing low-privilege users to make updates to certain data and leading to an arbitrary red… |
| CVE-2023-1780 | MEDIUM | 6.1 | 2023-07-10 | The Companion Sitemap Generator WordPress plugin before 4.5.3 does not sanitise and escape some parameters before outputting them back in pages, leading to Reflected Cross-Site Sc… |
| CVE-2024-0233 | MEDIUM | 6.1 | 2024-01-16 | The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 do not properly sanitise and escape a parameter before outputting it back in pages, leading to a R… |
| CVE-2024-0238 | MEDIUM | 6.1 | 2024-01-16 | The EventON Premium WordPress plugin before 4.5.6, EventON WordPress plugin before 2.2.8 do not have authorisation in an AJAX action, and does not ensure that the post to be updat… |
| CVE-2024-12710 | MEDIUM | 6.1 | 2024-12-24 | The WP-Appbox plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 4.5.3 due to insufficient input s… |
| CVE-2026-0862 | MEDIUM | 6.1 | 2026-01-24 | The Save as PDF Plugin by PDFCrowd plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘options’ parameter in all versions up to, and including, 4.5.5 due… |
| CVE-2020-11025 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires … |
| CVE-2020-11028 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been pat… |
| CVE-2020-11029 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been… |
| CVE-2020-4048 | MEDIUM | 5.7 | 2020-06-12 | In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect wh… |
| CVE-2022-4697 | MEDIUM | 5.5 | 2022-12-23 | The ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wp_user_cover_default_image_url’ parameter in versions up to, and including, 4.5.0 due … |
| CVE-2022-4698 | MEDIUM | 5.5 | 2022-12-23 | The ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several form fields in versions up to, and including, 4.5.0 due to insufficient input saniti… |
| CVE-2020-4046 | MEDIUM | 5.4 | 2020-06-12 | In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor… |
| CVE-2021-24255 | MEDIUM | 5.4 | 2021-05-05 | The Essential Addons for Elementor Lite WordPress Plugin before 4.5.4 has two widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as co… |
| CVE-2021-24243 | MEDIUM | 5.4 | 2021-05-06 | An AJAX action registered by the WPBakery Page Builder (Visual Composer) Clipboard WordPress plugin before 4.5.6 did not have capability checks nor sanitization, allowing low priv… |
| CVE-2022-43481 | MEDIUM | 5.4 | 2022-11-08 | Cross-Site Request Forgery (CSRF) vulnerability in Advanced Coupons for WooCommerce Coupons plugin <= 4.5 on WordPress leading to notice dismissal. |
| CVE-2022-38461 | MEDIUM | 5.4 | 2022-11-17 | Broken Access Control vulnerability in WPML Multilingual CMS premium plugin <= 4.5.10 on WordPress allows users with a subscriber or higher user role to change plugin settings (se… |
| CVE-2022-45071 | MEDIUM | 5.4 | 2022-11-17 | Cross-Site Request Forgery (CSRF) vulnerability in WPML Multilingual CMS premium plugin <= 4.5.13 on WordPress. |
| CVE-2022-4576 | MEDIUM | 5.4 | 2023-01-23 | The Easy Bootstrap Shortcode WordPress plugin through 4.5.4 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allo… |
| CVE-2022-4786 | MEDIUM | 5.4 | 2023-02-21 | The Video.js WordPress plugin through 4.5.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, … |
| CVE-2023-1022 | MEDIUM | 5.4 | 2023-02-28 | The WP Meta SEO plugin for WordPress is vulnerable to unauthorized options update due to a missing capability check on the wpmsGGSaveInformation function in versions up to, and in… |
| CVE-2023-1023 | MEDIUM | 5.4 | 2023-02-28 | The WP Meta SEO plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the saveSitemapSettings function in versions up to, … |
| CVE-2023-0066 | MEDIUM | 5.4 | 2023-03-13 | The Companion Sitemap Generator WordPress plugin through 4.5.1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the… |
| CVE-2023-2416 | MEDIUM | 5.4 | 2023-06-03 | The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the vcita_logout_c… |
| CVE-2023-49821 | MEDIUM | 5.4 | 2023-12-18 | Cross-Site Request Forgery (CSRF) vulnerability in LiveChat LiveChat – WP live chat plugin for WordPress.This issue affects LiveChat – WP live chat plugin for WordPress: from n/a … |
| CVE-2024-3818 | MEDIUM | 5.4 | 2024-04-19 | The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's "Social Icons" block … |
| CVE-2024-10473 | MEDIUM | 5.4 | 2024-11-28 | The Logo Slider WordPress plugin before 4.5.0 does not sanitise and escape some of its Logo Settings when outputing them in pages where the Logo Slider shortcode is embed, which … |
| CVE-2024-10896 | MEDIUM | 5.4 | 2024-11-28 | The Logo Slider WordPress plugin before 4.5.0 does not sanitise and escape some of its Logo and Slider settings, which could allow high privilege users such as Contributor to per… |
| CVE-2024-9872 | MEDIUM | 5.4 | 2024-12-06 | The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vc… |
| CVE-2024-54356 | MEDIUM | 5.4 | 2024-12-16 | Cross-Site Request Forgery (CSRF) vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita allows Cross Site Request Forgery.T… |
| CVE-2025-7205 | MEDIUM | 5.4 | 2025-07-31 | The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the donor notes parameter in all versions up to, and in… |
| CVE-2025-10749 | MEDIUM | 5.4 | 2025-10-24 | The Microsoft Azure Storage for WordPress plugin for WordPress is vulnerable to Unauthorized Arbitrary Media Deletion in all versions up to, and including, 4.5.1. This is due to m… |
| CVE-2025-12881 | MEDIUM | 5.4 | 2025-11-21 | The Return Refund and Exchange For WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.5.5 via the wps_rma_f… |
| CVE-2025-67559 | MEDIUM | 5.4 | 2025-12-09 | Missing Authorization vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita allows Exploiting Incorrectly Configured Access… |
| CVE-2026-1217 | MEDIUM | 5.4 | 2026-03-18 | The Yoast Duplicate Post plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clone_bulk_action_handler() and republish… |
| CVE-2026-2712 | MEDIUM | 5.4 | 2026-04-10 | The WP-Optimize plugin for WordPress is vulnerable to unauthorized access of functionality due to missing capability checks in the `receive_heartbeat()` function in `includes/clas… |
| CVE-2020-5780 | MEDIUM | 5.3 | 2020-09-10 | Missing Authentication for Critical Function in Icegram Email Subscribers & Newsletters Plugin for WordPress prior to version 4.5.6 allows a remote, unauthenticated attacker to co… |
| CVE-2022-2034 | MEDIUM | 5.3 | 2022-08-29 | The Sensei LMS WordPress plugin before 4.5.0 does not have proper permissions set in one of its REST endpoint, allowing unauthenticated users to access private messages sent to te… |
| CVE-2022-2834 | MEDIUM | 5.3 | 2022-10-17 | The Helpful WordPress plugin before 4.5.26 puts the exported logs and feedbacks in a publicly accessible location and guessable names, which could allow attackers to download them… |
| CVE-2024-0235 | MEDIUM | 5.3 | 2024-01-16 | The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 do not have authorisation in an AJAX action, allowing unauthenticated users to retrieve email addr… |
| CVE-2024-0236 | MEDIUM | 5.3 | 2024-01-16 | The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 do not have authorisation in an AJAX action, allowing unauthenticated users to retrieve the settin… |
| CVE-2024-0237 | MEDIUM | 5.3 | 2024-01-16 | The EventON WordPress plugin through 4.5.8, EventON WordPress plugin before 2.2.7 do not have authorisation in some AJAX actions, allowing unauthenticated users to update virtual … |
| CVE-2023-6962 | MEDIUM | 5.3 | 2024-05-02 | The WP Meta SEO plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.5.12 via the meta description. This makes it possible … |
| CVE-2024-11088 | MEDIUM | 5.3 | 2024-11-21 | The Simple Membership plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.5.5 via the WordPress core search feature. This … |
| CVE-2025-6722 | MEDIUM | 5.3 | 2025-08-02 | The BitFire Security – Firewall, WAF, Bot/Spam Blocker, Login Security plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4… |
| CVE-2025-11881 | MEDIUM | 5.3 | 2025-10-30 | The AppPresser – Mobile App Framework plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'myappp_verify' function in all ve… |
| CVE-2014-9119 | MEDIUM | 5.0 | 2014-12-31 | Directory traversal vulnerability in download.php in the DB Backup plugin 4.5 and earlier for Wordpress allows remote attackers to read arbitrary files via a .. (dot dot) in the f… |
| CVE-2024-32111 | MEDIUM | 5.0 | 2024-06-25 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Automattic WordPress allows Relative Path Traversal.This issue affects WordPress: f… |
| CVE-2021-25021 | MEDIUM | 4.9 | 2022-01-03 | The OMGF | Host Google Fonts Locally WordPress plugin before 4.5.12 does not validate the cache directory setting, allowing high privilege users to use a path traversal vector and… |
| CVE-2022-2222 | MEDIUM | 4.9 | 2022-07-17 | The Download Monitor WordPress plugin before 4.5.91 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such … |
| CVE-2022-2981 | MEDIUM | 4.9 | 2022-10-10 | The Download Monitor WordPress plugin before 4.5.98 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such … |
| CVE-2026-2831 | MEDIUM | 4.9 | 2026-02-27 | The MailArchiver plugin for WordPress is vulnerable to SQL Injection via the ‘logid’ parameter in all versions up to, and including, 4.5.0 due to insufficient escaping on the user… |
| CVE-2022-1094 | MEDIUM | 4.8 | 2022-04-25 | The amr users WordPress plugin before 4.59.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site S… |
| CVE-2022-1995 | MEDIUM | 4.8 | 2022-06-27 | The Malware Scanner WordPress plugin before 4.5.2 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Ja… |
| CVE-2022-3601 | MEDIUM | 4.8 | 2022-11-28 | The Image Hover Effects Css3 WordPress plugin through 4.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored… |
| CVE-2023-1649 | MEDIUM | 4.8 | 2023-05-08 | The AI ChatBot WordPress plugin before 4.5.1 does not sanitise and escape numerous of its settings, which could allow high privilege users such as admin to perform Stored Cross-Si… |
| CVE-2023-2742 | MEDIUM | 4.8 | 2023-06-19 | The AI ChatBot WordPress plugin before 4.5.5 does not sanitize and escape its settings, allowing high-privilege users such as admin to perform Cross-Site Scripting attacks even wh… |
| CVE-2023-2811 | MEDIUM | 4.8 | 2023-06-19 | The AI ChatBot WordPress plugin before 4.5.6 does not sanitise and escape numerous of its settings, which could allow high privilege users such as admin to perform Stored Cross-Si… |
| CVE-2023-6005 | MEDIUM | 4.8 | 2024-01-16 | The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 does not sanitize and escape some of its settings, which could allow high privilege users such as … |
| CVE-2022-2080 | MEDIUM | 4.3 | 2022-08-29 | The Sensei LMS WordPress plugin before 4.5.2 does not ensure that the sender of a private message is either the teacher or the original sender, allowing any authenticated user to … |
| CVE-2022-45072 | MEDIUM | 4.3 | 2022-11-17 | Cross-Site Request Forgery (CSRF) vulnerability in WPML Multilingual CMS premium plugin <= 4.5.13 on WordPress. |
| CVE-2022-38974 | MEDIUM | 4.3 | 2022-11-18 | Broken Access Control vulnerability in WPML Multilingual CMS premium plugin <= 4.5.10 on WordPress allows users with subscriber or higher user roles to change the status of the tr… |
| CVE-2023-1029 | MEDIUM | 4.3 | 2023-02-24 | The WP Meta SEO plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.3. This is due to missing or incorrect nonce validation on t… |
| CVE-2023-1024 | MEDIUM | 4.3 | 2023-02-28 | The WP Meta SEO plugin for WordPress is vulnerable to unauthorized sitemap generation due to a missing capability check on the regenerateSitemaps function in versions up to, and i… |
| CVE-2023-1026 | MEDIUM | 4.3 | 2023-02-28 | The WP Meta SEO plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the listPostsCategory function in versions up to, and includ… |
| CVE-2023-1027 | MEDIUM | 4.3 | 2023-02-28 | The WP Meta SEO plugin for WordPress is vulnerable to unauthorized sitemap generation due to a missing capability check on the checkAllCategoryInSitemap function in versions up to… |
| CVE-2023-1028 | MEDIUM | 4.3 | 2023-02-28 | The WP Meta SEO plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.3. This is due to missing or incorrect nonce validation on t… |
| CVE-2023-2261 | MEDIUM | 4.3 | 2023-06-09 | The WP Activity Log plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the handle_ajax_call function in versions up to, and including,… |
| CVE-2023-2284 | MEDIUM | 4.3 | 2023-06-09 | The WP Activity Log Premium plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_switch_db function in versions up… |
| CVE-2023-2285 | MEDIUM | 4.3 | 2023-06-09 | The WP Activity Log Premium plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.0. This is due to missing or incorrect nonce val… |
| CVE-2023-2286 | MEDIUM | 4.3 | 2023-06-09 | The WP Activity Log for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.0. This is due to missing or incorrect nonce validation on the … |
| CVE-2023-39999 | MEDIUM | 4.3 | 2023-10-13 | Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 thr… |
| CVE-2024-1861 | MEDIUM | 4.3 | 2024-02-28 | The Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan plugin for WordPress is vulnerable to unauthorized modification of data due to a mis… |
| CVE-2024-10084 | MEDIUM | 4.3 | 2024-11-05 | The Contact Form 7 – Dynamic Text Extension plugin for WordPress is vulnerable to Basic Information Disclosure in all versions up to, and including, 4.5 via the CF7_get_post_var s… |
| CVE-2024-13811 | MEDIUM | 4.3 | 2025-03-05 | The Lafka - Multi Store Burger - Pizza & Food Delivery WooCommerce Theme theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'lafka_i… |
| CVE-2025-32238 | MEDIUM | 4.3 | 2025-04-04 | Generation of Error Message Containing Sensitive Information vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita allows R… |
| CVE-2025-7221 | MEDIUM | 4.3 | 2025-08-21 | The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the give_update_… |
| CVE-2025-12086 | MEDIUM | 4.3 | 2025-11-21 | The Return Refund and Exchange For WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.5.5 via the 'wps_rma_… |
| CVE-2025-67472 | MEDIUM | 4.3 | 2025-12-09 | Cross-Site Request Forgery (CSRF) vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita allows Cross Site Request Forgery.T… |
| CVE-2025-14852 | MEDIUM | 4.3 | 2026-02-14 | The MDirector Newsletter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.8. This is due to missing nonce verification on… |
| CVE-2026-4063 | MEDIUM | 4.3 | 2026-03-13 | The Social Icons Widget & Block by WPZOOM plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check in the add_menu_item() method hook… |
| CVE-2026-8938 | MEDIUM | 4.3 | 2026-05-27 | The auto making JSON-LD plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.3. This is due to missing or incorrect nonce val… |
| CVE-2020-4050 | LOW | 3.5 | 2020-06-12 | In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plu… |
| CVE-2020-4049 | LOW | 2.4 | 2020-06-12 | In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes p… |
| CVE-2023-6164 | LOW | 2.2 | 2023-11-22 | The MainWP Dashboard – WordPress Manager for Multiple Websites Maintenance plugin for WordPress is vulnerable to CSS Injection via the ‘newColor’ parameter in all versions up to,… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 4.5 is no longer safe for any website, regardless of size or purpose. With 156 known vulnerabilities—including 6 critical ones that allow remote code execution—continuing to run this version is like leaving your front door unlocked. The longer you wait to update, the higher your risk of being compromised, losing customer data, or having your site used to attack others.
Don't leave your WordPress security to chance. Use SiteRecipe.com's vulnerability scanner to instantly identify all CVEs affecting your website, get personalized update recommendations, and receive step-by-step guidance to secure your installation. Our platform takes the guesswork out of WordPress security, helping you patch vulnerabilities in minutes rather than hours. Visit SiteRecipe.com today and take control of your site's security—because an ounce of prevention is worth a pound of cure.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.