WordPress 4.5.4 contains 11 documented security vulnerabilities, including 1 critical flaw that could allow attackers to overwrite your website's files. If you're running this older version, your site is at serious risk from hackers who exploit these known weaknesses. This guide explains what these vulnerabilities mean for your website and how to protect yourself immediately.
The vulnerabilities span multiple popular WordPress plugins, including OMGF, IndieAuth, All-in-One Video Gallery, and EventON. Attackers can use these flaws to steal data, upload malicious files, delete your content, or hijack user logins. Even small websites are targeted by automated attacks that scan the internet for these exact vulnerabilities.
The good news is that these risks are preventable. By updating to a newer WordPress version and securing your plugins, you can eliminate these threats in hours, not days.
WordPress 4.5.4 is an older version of WordPress, the platform that powers over 40% of all websites on the internet. WordPress releases updates regularly to fix bugs and security problems that hackers discover. Version 4.5.4 was released in 2016, making it significantly outdated by modern standards. When WordPress developers find security weaknesses, they fix them in newer versions—but anyone still using 4.5.4 doesn't get these protections.
Think of WordPress like your home's locks and security system. Every few months, manufacturers discover new ways criminals can break in, so they design better locks. If you keep using old locks from 2016 while criminals today have modern tools, your home becomes an easy target. The same principle applies to WordPress: using a version from 2016 means you're protected against 2016-era attacks, but today's hackers exploit vulnerabilities that weren't even imagined back then.
11 CVEs found. The most critical are explained below.
The OMGF plugin has a security flaw that allows anyone on the internet to manipulate your website's CSS files (the code that controls how your site looks). They can also download private font files without permission. This happens because the plugin doesn't properly check who is making requests or where files are being stored.
Impact: Attackers could change how your website appears to visitors, inject malicious code, or steal your custom fonts and design assets. Your website could look broken or display inappropriate content to your users.
↗ View on NVDThe IndieAuth plugin fails to verify that login requests are legitimate. This means attackers can create fake login forms or tricks that bypass your normal security checks. An attacker could trick someone into logging in without their knowledge.
Impact: Someone could be logged into your site without their permission, potentially gaining unauthorized access to user accounts or administrative functions. Your site's login system could be abused to access sensitive areas.
↗ View on NVDThe All-in-One Video Gallery plugin doesn't properly check what type of files authors are uploading. Instead of just allowing video files, attackers with author-level access could upload executable files or malicious code. The plugin's file validation is missing or broken.
Impact: Website users with author permissions could upload harmful files that infect your site with malware or give attackers control of your server. This could compromise your entire website and visitor data.
↗ View on NVDThe OMGF plugin allows any logged-in user to delete important files and folders from your server without proper permission checks. Even users with limited access can trigger this deletion function. There's no security verification to stop this.
Impact: Users could delete critical website files, causing your site to break or stop working entirely. Your website could become inaccessible or lose important data, requiring emergency restoration from backups.
↗ View on NVDThe EventON calendar plugin doesn't properly check user permissions before allowing changes to event information. This means users who shouldn't be able to edit events could modify or delete them anyway. The plugin is missing security checks for who has access.
Impact: Unauthorized users could change or delete your calendar events, causing confusion for your audience and potentially damaging your event credibility. Important event information could be lost or altered.
↗ View on NVDThe EventON plugin fails to verify that event modification requests are genuine and come from you. Attackers can create fake requests that trick your website into changing events without your knowledge or permission.
Impact: Someone could modify your calendar events, event details, or settings without your authorization. Your events could be changed, deleted, or made private without you realizing it happened.
↗ View on NVDShowing first 10 of 5. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2023-6244 | MEDIUM | 6.5 | 2024-01-11 | The EventON - WordPress Virtual Event Calendar Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.4 (Pro) & 2.2.8 (F… |
| CVE-2025-1489 | MEDIUM | 6.4 | 2025-02-21 | The WP-Appbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's appbox shortcode in all versions up to, and including, 4.5.4 due to insufficient i… |
| CVE-2025-8567 | MEDIUM | 6.4 | 2025-08-19 | The Nexter Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 4.5.4 due to insufficient input sani… |
| CVE-2021-24255 | MEDIUM | 5.4 | 2021-05-05 | The Essential Addons for Elementor Lite WordPress Plugin before 4.5.4 has two widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as co… |
| CVE-2022-4576 | MEDIUM | 5.4 | 2023-01-23 | The Easy Bootstrap Shortcode WordPress plugin through 4.5.4 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allo… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 4.5.4 is no longer safe for any website. With 11 known security vulnerabilities—including a critical flaw that lets attackers rewrite your CSS files and download your data—running this version is like leaving your front door unlocked 24/7. The scary part: hackers use automated tools that scan the internet specifically for sites running vulnerable versions like yours. They're not targeting you personally; they're using robots that attack thousands of websites daily.
The solution is simple and fast: update WordPress and your plugins today. SiteRecipe.com makes security management effortless with real-time vulnerability scanning that alerts you to threats before hackers find them. Our platform continuously monitors your WordPress sites, checks for outdated versions, and recommends fixes—all while you sleep. Stop worrying about security vulnerabilities and start protecting your website the smart way. Sign up for SiteRecipe.com now and run a free security scan of your site.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.