WordPress 4.5.3 is an older version of the world's most popular website platform, released several years ago. Unfortunately, this version contains 32 known security vulnerabilities that put your website at serious risk, including 2 critical-level flaws that attackers actively exploit. If your site still runs WordPress 4.5.3, you need to take immediate action to protect your data, your visitors, and your business.
These vulnerabilities range from allowing attackers to upload malicious files to stealing sensitive information through SQL injection attacks. With 88 websites still using this outdated version, hackers know exactly what to look for. This guide will help you understand these threats and show you exactly how to fix them.
WordPress 4.5.3 is a version of WordPress released in 2016—nearly a decade ago. Think of WordPress as the engine that powers your website, handling everything from displaying your content to managing user accounts and plugins. Version 4.5.3 introduced several features and improvements, but like all software, security experts have discovered vulnerabilities (weaknesses) in the code that bad actors can exploit.
Security vulnerabilities are essentially holes or flaws in software that attackers can use to break into your system. In WordPress 4.5.3, these holes allow hackers to upload dangerous files, steal data, or take complete control of your website. Because this version is so old, it's no longer receiving security updates from WordPress developers, meaning any new vulnerabilities discovered won't be fixed.
32 CVEs found. The most critical are explained below.
The Divi Builder plugin has a security weakness that lets people with contributor access or higher upload any type of file to your website, including dangerous executable files. The security check only happens in the browser, which is easy to bypass.
Impact: An attacker could upload malicious code that takes control of your entire website, steals customer data, or uses your site to attack others.
↗ View on NVDThe vcita Online Booking plugin has a flaw that allows uploading malicious files to your website. Anyone with plugin access could exploit this to gain control of your site.
Impact: Attackers could install backdoors, steal customer information, or hijack your website completely.
↗ View on NVDThe Unlimited PopUps plugin doesn't properly filter user input before using it in database queries. Editors and higher-level users can exploit this to access or modify your entire database.
Impact: Sensitive data could be exposed, customer information could be stolen or deleted, and your site's functionality could be disrupted.
↗ View on NVDThe WP Meta SEO plugin doesn't properly protect database queries from malicious input. Even low-level users (subscribers) can exploit this vulnerability to access your database.
Impact: Private information stored in your database could be exposed to unauthorized users without leaving obvious traces.
↗ View on NVDWordPress has a flaw in its plugin upload feature that allows uploading files that aren't actually plugins. If your host requests FTP credentials during installation, attackers could exploit this.
Impact: An attacker with admin access could upload malicious files disguised as plugins, potentially taking over your website.
↗ View on NVDAn older vulnerability in WordPress versions before 4.5.3 allows attackers to bypass security redirects in the customizer tool through specific methods.
Impact: Attackers could redirect users away from your site or access restricted areas they shouldn't be able to reach.
↗ View on NVDShowing first 10 of 26. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2016-5835 | HIGH | 7.5 | 2016-06-29 | WordPress before 4.5.3 allows remote attackers to obtain sensitive revision-history information by leveraging the ability to read a post, related to wp-admin/includes/ajax-actions… |
| CVE-2016-5836 | HIGH | 7.5 | 2016-06-29 | The oEmbed protocol implementation in WordPress before 4.5.3 allows remote attackers to cause a denial of service via unspecified vectors. |
| CVE-2016-5837 | HIGH | 7.5 | 2016-06-29 | WordPress before 4.5.3 allows remote attackers to bypass intended access restrictions and remove a category attribute from a post via unspecified vectors. |
| CVE-2016-5838 | HIGH | 7.5 | 2016-06-29 | WordPress before 4.5.3 allows remote attackers to bypass intended password-change restrictions by leveraging knowledge of a cookie. |
| CVE-2016-5839 | HIGH | 7.5 | 2016-06-29 | WordPress before 4.5.3 allows remote attackers to bypass the sanitize_file_name protection mechanism via unspecified vectors. |
| CVE-2016-6896 | HIGH | 7.1 | 2017-01-18 | Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress 4.5.3 allows remote authenticated users to cause a denia… |
| CVE-2025-54676 | MEDIUM | 6.5 | 2025-08-14 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-sch… |
| CVE-2023-6561 | MEDIUM | 6.4 | 2024-01-11 | The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the featured image alt text in all versions up to, and including, 4.5.3 du… |
| CVE-2024-2255 | MEDIUM | 6.4 | 2024-03-20 | The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versio… |
| CVE-2025-4611 | MEDIUM | 6.4 | 2025-05-21 | The Slim SEO – Fast & Automated WordPress SEO Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's slim_seo_breadcrumbs shortcode in all versi… |
| CVE-2026-7796 | MEDIUM | 6.4 | 2026-06-06 | The EmbedPress – PDF Embedder, Embed PDF viewer, YouTube Videos, 3D FlipBook, Social feeds & more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the block '… |
| CVE-2016-5833 | MEDIUM | 6.1 | 2016-06-29 | Cross-site scripting (XSS) vulnerability in the column_title function in wp-admin/includes/class-wp-media-list-table.php in WordPress before 4.5.3 allows remote attackers to injec… |
| CVE-2016-5834 | MEDIUM | 6.1 | 2016-06-29 | Cross-site scripting (XSS) vulnerability in the wp_get_attachment_link function in wp-includes/post-template.php in WordPress before 4.5.3 allows remote attackers to inject arbitr… |
| CVE-2015-9349 | MEDIUM | 6.1 | 2019-08-27 | The ckeditor-for-wordpress plugin before 4.5.3.1 for WordPress has reflected XSS in the "built-in (old)" file browser. |
| CVE-2023-0876 | MEDIUM | 6.1 | 2023-03-20 | The WP Meta SEO WordPress plugin before 4.5.3 does not authorize several ajax actions, allowing low-privilege users to make updates to certain data and leading to an arbitrary red… |
| CVE-2023-1780 | MEDIUM | 6.1 | 2023-07-10 | The Companion Sitemap Generator WordPress plugin before 4.5.3 does not sanitise and escape some parameters before outputting them back in pages, leading to Reflected Cross-Site Sc… |
| CVE-2024-12710 | MEDIUM | 6.1 | 2024-12-24 | The WP-Appbox plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 4.5.3 due to insufficient input s… |
| CVE-2023-1022 | MEDIUM | 5.4 | 2023-02-28 | The WP Meta SEO plugin for WordPress is vulnerable to unauthorized options update due to a missing capability check on the wpmsGGSaveInformation function in versions up to, and in… |
| CVE-2023-1023 | MEDIUM | 5.4 | 2023-02-28 | The WP Meta SEO plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the saveSitemapSettings function in versions up to, … |
| CVE-2024-32111 | MEDIUM | 5.0 | 2024-06-25 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Automattic WordPress allows Relative Path Traversal.This issue affects WordPress: f… |
| CVE-2023-1029 | MEDIUM | 4.3 | 2023-02-24 | The WP Meta SEO plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.3. This is due to missing or incorrect nonce validation on t… |
| CVE-2023-1024 | MEDIUM | 4.3 | 2023-02-28 | The WP Meta SEO plugin for WordPress is vulnerable to unauthorized sitemap generation due to a missing capability check on the regenerateSitemaps function in versions up to, and i… |
| CVE-2023-1026 | MEDIUM | 4.3 | 2023-02-28 | The WP Meta SEO plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the listPostsCategory function in versions up to, and includ… |
| CVE-2023-1027 | MEDIUM | 4.3 | 2023-02-28 | The WP Meta SEO plugin for WordPress is vulnerable to unauthorized sitemap generation due to a missing capability check on the checkAllCategoryInSitemap function in versions up to… |
| CVE-2023-1028 | MEDIUM | 4.3 | 2023-02-28 | The WP Meta SEO plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.3. This is due to missing or incorrect nonce validation on t… |
| CVE-2026-8938 | MEDIUM | 4.3 | 2026-05-27 | The auto making JSON-LD plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.3. This is due to missing or incorrect nonce val… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
Running WordPress 4.5.3 is like leaving your front door unlocked in a neighborhood full of burglars. The 32 vulnerabilities in this version, especially the 2 critical-level flaws, make your website an easy target for hackers who can steal data, inject malware, or destroy your site entirely. Updating to the latest WordPress version takes less than an hour and eliminates the vast majority of these risks.
Don't wait for a breach to happen. Use SiteRecipe.com's automated security scanning tools to identify vulnerabilities in your WordPress installation right now. Our platform monitors your site 24/7, alerts you to security issues, and provides step-by-step guidance to fix them. Visit SiteRecipe.com today for a free security audit and sleep better knowing your website is protected.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.