WordPress 4.5.2 is an outdated version that contains 19 known security vulnerabilities, including 2 high-severity issues that could compromise your website. If your site still runs this version, you're exposed to serious risks including unauthorized file uploads, script injection, and arbitrary file deletion attacks. This guide will help you identify if you're affected and show you exactly how to fix the problem.
With over 62 websites still using WordPress 4.5.2, this version represents a significant security risk in the wild. The vulnerabilities range from cross-site scripting (XSS) attacks to authenticated file manipulation that could lead to complete site takeover. Understanding these threats is the first step toward protecting your online presence.
WordPress 4.5.2 is an older version of WordPress, the popular website building platform that powers over 40% of the internet. Released in May 2016, this version was once state-of-the-art but is now several major versions behind the current releases. Think of WordPress versions like software updates on your phone—older versions miss out on important security patches and performance improvements that newer versions include.
WordPress versions are numbered like 4.5.2, where each number represents different levels of updates. The first number (4) represents major releases, the second (5) represents minor updates, and the third (2) represents security patches. WordPress 4.5.2 may seem like it has patches, but it's missing years of additional security improvements from versions 5.x, 6.x, and beyond. Running outdated software is like leaving your front door unlocked—hackers specifically target known vulnerabilities in old versions.
19 CVEs found. The most critical are explained below.
An attacker with login access can upload a specially named file that executes harmful code when someone views it. This is like giving a trusted employee a document that secretly contains a virus.
Impact: Hackers could take control of your website, steal data, or use your site to attack your visitors.
↗ View on NVDThe WP-Optimize plugin (versions up to 4.5.2) has a flaw that lets attackers delete files from your server without permission. It's like someone being able to erase files from your filing cabinet remotely.
Impact: Your website could be damaged, lose functionality, or have critical data deleted permanently.
↗ View on NVDStaff members with permission to upload files can secretly embed malicious code that runs when an administrator views the file. The code runs with the admin's permissions, giving attackers powerful access.
Impact: An insider threat or compromised staff account could give attackers administrative control over your entire website.
↗ View on NVDContent creators using WordPress's block editor can craft special text in the search function that runs malicious code. This requires someone with editor access to intentionally create the harmful content.
Impact: A compromised staff account or malicious employee could inject code that affects all site visitors.
↗ View on NVDWordPress 4.5.2 uses an old file upload component (Plupload) that has a security hole. Attackers can inject malicious code through the upload feature without needing to log in.
Impact: Your website could be hacked and used to spread malware to your visitors.
↗ View on NVDWordPress 4.5.2 uses an outdated media player that has a security flaw allowing attackers to inject malicious code into video or audio players.
Impact: Visitors watching videos could be infected with malware or have their browsers compromised.
↗ View on NVDShowing first 10 of 13. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2020-11027 | MEDIUM | 6.1 | 2020-04-30 | In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password. Access would be needed to the email account of the user… |
| CVE-2022-1170 | MEDIUM | 6.1 | 2022-04-04 | In the Noo JobMonster WordPress theme before 4.5.2.9 JobMonster there is a XSS vulnerability as the input for the search form is provided through unsanitized GET requests. |
| CVE-2020-11025 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires … |
| CVE-2020-11028 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been pat… |
| CVE-2020-11029 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been… |
| CVE-2020-4048 | MEDIUM | 5.7 | 2020-06-12 | In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect wh… |
| CVE-2020-4046 | MEDIUM | 5.4 | 2020-06-12 | In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor… |
| CVE-2022-2834 | MEDIUM | 5.3 | 2022-10-17 | The Helpful WordPress plugin before 4.5.26 puts the exported logs and feedbacks in a publicly accessible location and guessable names, which could allow attackers to download them… |
| CVE-2022-1995 | MEDIUM | 4.8 | 2022-06-27 | The Malware Scanner WordPress plugin before 4.5.2 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Ja… |
| CVE-2022-2080 | MEDIUM | 4.3 | 2022-08-29 | The Sensei LMS WordPress plugin before 4.5.2 does not ensure that the sender of a private message is either the teacher or the original sender, allowing any authenticated user to … |
| CVE-2023-39999 | MEDIUM | 4.3 | 2023-10-13 | Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 thr… |
| CVE-2020-4050 | LOW | 3.5 | 2020-06-12 | In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plu… |
| CVE-2020-4049 | LOW | 2.4 | 2020-06-12 | In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes p… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 4.5.2 contains serious security vulnerabilities that put your website, visitor data, and business at risk. The two high-severity CVEs alone can allow attackers to execute malicious code on your site through file uploads and script injection. Updating to the latest WordPress version takes just minutes but provides years of security improvements and protections.
Don't wait for a breach to happen—take action today to secure your website. SiteRecipe.com's vulnerability scanner instantly identifies outdated software, missing security patches, and other critical issues affecting your site. Use our free security check to see exactly what vulnerabilities exist on your WordPress site, get personalized recommendations, and take the guesswork out of website security. Visit SiteRecipe.com now to scan your site and protect your business.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.