WordPress 4.6, released in 2016, is no longer supported and poses severe security risks to the 22 websites still running this outdated version. Our latest security audit has identified 111 vulnerabilities, including 6 critical flaws that could allow attackers to take complete control of your website, steal sensitive data, and inject malicious code. If your site is still powered by WordPress 4.6, you're operating with a massive target on your back.
The most alarming discoveries include remote code execution vulnerabilities in popular plugins like WPML, Jupiter X Core, and Fancy Product Designer, along with SQL injection and file upload exploits that require zero authentication to exploit. These aren't theoretical threats—they're active attack vectors being weaponized by cybercriminals every single day. This guide will help you identify whether your site is vulnerable and provide clear steps to secure it.
WordPress 4.6 was released in August 2016 and reached end-of-life status years ago. It's an older content management system version that powers the core functionality of millions of websites worldwide. While it may still appear to function normally, WordPress 4.6 is no longer receiving security patches or updates from the official WordPress development team, making it impossible to address newly discovered vulnerabilities automatically.
Think of WordPress 4.6 like an old house with locks that no longer work—even if the structure seems fine on the surface, anyone with basic tools can break in. Every day that passes, new exploits are discovered and published, making outdated WordPress versions increasingly attractive targets for hackers, bots, and malicious actors looking for easy entry points.
111 CVEs found. The most critical are explained below.
The WPML plugin has a security flaw that lets attackers run harmful code on your website if they have basic access. This happens because the plugin doesn't properly check the information it receives from users.
Impact: A hacker could take complete control of your website, steal customer data, inject malware, or redirect visitors to malicious sites.
↗ View on NVDThe newsletters-lite plugin contains a flaw that allows attackers to manipulate how the plugin processes information. This can be exploited to execute malicious commands on your server.
Impact: Hackers could steal your email lists, inject malicious content into newsletters, or gain unauthorized access to your website's backend systems.
↗ View on NVDThe Nex Forms plugin doesn't properly filter user input in one of its admin pages. This allows attackers to manipulate your website's database directly without authorization.
Impact: Attackers could read, modify, or delete your website's database contents, including customer information, posts, and settings.
↗ View on NVDThe Fancy Product Designer plugin doesn't properly verify what files are being uploaded to your server. Anyone, even without an account, can upload dangerous files.
Impact: Attackers can upload malicious code that runs on your server, giving them complete control over your website and all its data.
↗ View on NVDThe Shariff Wrapper plugin has a flaw that lets attackers access and run any file stored on your web server. No login credentials are needed to exploit this vulnerability.
Impact: Hackers could view sensitive files like configuration documents with passwords, database details, or other confidential information, and execute malicious code.
↗ View on NVDThe Jupiter X Core plugin doesn't properly check what type of files are being uploaded. Attackers can bypass safety checks and upload harmful files without needing an account.
Impact: Criminals could upload malicious code to your server and take control of your entire website, steal data, or use it to attack your visitors.
↗ View on NVDShowing first 10 of 105. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2019-12570 | HIGH | 8.8 | 2019-07-03 | A SQL injection vulnerability in the Xpert Solution "Server Status by Hostname/IP" plugin 4.6 for WordPress allows an authenticated user to execute arbitrary SQL commands via GET … |
| CVE-2019-14788 | HIGH | 8.8 | 2019-08-15 | wp-admin/admin-ajax.php?action=newsletters_exportmultiple in the Tribulant Newsletters plugin before 4.6.19 for WordPress allows directory traversal with resultant remote PHP code… |
| CVE-2017-18547 | HIGH | 8.8 | 2019-08-16 | The nelio-ab-testing plugin before 4.6.4 for WordPress has CSRF in experiment forms. |
| CVE-2017-18523 | HIGH | 8.8 | 2019-08-20 | The eelv-newsletter plugin before 4.6.1 for WordPress has CSRF in the address book. |
| CVE-2020-9454 | HIGH | 8.8 | 2020-03-06 | A CSRF vulnerability in the RegistrationMagic plugin through 4.6.0.3 for WordPress allows remote attackers to forge requests on behalf of a site administrator to change all settin… |
| CVE-2020-9456 | HIGH | 8.8 | 2020-03-06 | In the RegistrationMagic plugin through 4.6.0.3 for WordPress, the user controller allows remote authenticated users (with minimal privileges) to elevate their privileges to admin… |
| CVE-2020-9457 | HIGH | 8.8 | 2020-03-06 | The RegistrationMagic plugin through 4.6.0.3 for WordPress allows remote authenticated users (with minimal privileges) to import custom vulnerable forms and change form settings v… |
| CVE-2020-9458 | HIGH | 8.8 | 2020-03-06 | In the RegistrationMagic plugin through 4.6.0.3 for WordPress, the export function allows remote authenticated users (with minimal privileges) to export submitted form data and se… |
| CVE-2021-24952 | HIGH | 8.8 | 2022-03-07 | The Conversios.io WordPress plugin before 4.6.2 does not sanitise, validate and escape the sync_progressive_data parameter for the tvcajax_product_sync_bantch_wise AJAX action bef… |
| CVE-2023-3063 | HIGH | 8.8 | 2023-06-30 | The SP Project & Document Manager plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 4.67. This is due to the plugin providi… |
| CVE-2023-3105 | HIGH | 8.8 | 2023-07-12 | The LearnDash LMS plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 4.6.0. This is due to the plugin providing user-control… |
| CVE-2021-4334 | HIGH | 8.8 | 2023-10-20 | The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized modification of site options due to a missing capability check on the fpd_update_options function in … |
| CVE-2023-5931 | HIGH | 8.8 | 2023-12-26 | The rtMedia for WordPress, BuddyPress and bbPress WordPress plugin before 4.6.16 does not validate files to be uploaded, which could allow attackers with a low-privilege account (… |
| CVE-2024-2018 | HIGH | 8.8 | 2024-04-09 | The WP Activity Log Premium plugin for WordPress is vulnerable to SQL Injection via the entry->roles parameter in all versions up to, and including, 4.6.4 due to insufficient esca… |
| CVE-2024-3293 | HIGH | 8.8 | 2024-04-23 | The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to blind SQL Injection via the rtmedia_gallery shortcode in all versions up to, and including,… |
| CVE-2024-1797 | HIGH | 8.8 | 2024-05-02 | The WP ULike – Most Advanced WordPress Marketing Toolkit plugin for WordPress is vulnerable to SQL Injection via the 'status' and 'id' attributes of the 'wp_ulike_counter' and 'wp… |
| CVE-2024-2386 | HIGH | 8.8 | 2024-06-29 | The WordPress Plugin for Google Maps – WP MAPS plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter of the 'put_wpgm' shortcode in all versions up to, and in… |
| CVE-2021-4447 | HIGH | 8.8 | 2024-10-16 | The Essential Addons for Elementor plugin for WordPress is vulnerable to privilege escalation in versions up to and including 4.6.4 due to a lack of restrictions on who can add a… |
| CVE-2024-12293 | HIGH | 8.8 | 2024-12-17 | The User Role Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.64.3. This is due to missing or incorrect nonce valid… |
| CVE-2024-12848 | HIGH | 8.8 | 2025-01-09 | The SKT Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the 'addLibraryByArchive' function in all versions up to, an… |
| CVE-2020-11026 | HIGH | 8.7 | 2020-04-30 | In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an au… |
| CVE-2022-40700 | HIGH | 8.2 | 2024-01-19 | Server-Side Request Forgery (SSRF) vulnerability in Montonio Montonio for WooCommerce, Wpopal Wpopal Core Features, AMO for WP – Membership Management ArcStone wp-amo, Long Watch … |
| CVE-2020-8435 | HIGH | 8.1 | 2020-03-12 | An issue was discovered in the RegistrationMagic plugin 4.6.0.0 for WordPress. There is SQL injection via the rm_analytics_show_form rm_form_id parameter. |
| CVE-2024-31210 | HIGH | 7.6 | 2024-04-04 | WordPress is an open publishing platform for the Web. It's possible for a file of a type other than a zip file to be submitted as a new plugin by an administrative user on the Plu… |
| CVE-2023-3813 | HIGH | 7.5 | 2023-07-21 | The Jupiter X Core plugin for WordPress is vulnerable to arbitrary file downloads in versions up to, and including, 4.6.6. This makes it possible for unauthenticated attackers to … |
| CVE-2026-1368 | HIGH | 7.5 | 2026-02-18 | The Video Conferencing with Zoom WordPress plugin before 4.6.6 contains an AJAX handler that has its nonce verification commented out, allowing unauthenticated attackers to genera… |
| CVE-2026-2232 | HIGH | 7.5 | 2026-02-19 | The Product Table and List Builder for WooCommerce Lite plugin for WordPress is vulnerable to time-based SQL Injection via the 'search' parameter in all versions up to, and includ… |
| CVE-2021-24778 | HIGH | 7.2 | 2022-03-07 | The test parameter of the xmlfeed in the Tradetracker-Store WordPress plugin before 4.6.60 is not sanitised, escaped or validated before inserting to a SQL statement, leading to S… |
| CVE-2023-5939 | HIGH | 7.2 | 2023-12-26 | The rtMedia for WordPress, BuddyPress and bbPress WordPress plugin before 4.6.16 loads the contents of the import file in an unsafe manner, leading to remote code execution by pri… |
| CVE-2020-4047 | MEDIUM | 6.8 | 2020-06-12 | In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way.… |
| CVE-2016-6897 | MEDIUM | 6.5 | 2017-01-18 | Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hija… |
| CVE-2023-3125 | MEDIUM | 6.5 | 2023-06-07 | The B2BKing plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'b2bking_save_price_import' function in versions up to… |
| CVE-2024-1076 | MEDIUM | 6.5 | 2024-05-08 | The SSL Zen WordPress plugin before 4.6.0 does not properly prevent directory listing of the private keys folder, as it only relies on the use of .htaccess to prevent visitors fr… |
| CVE-2024-13356 | MEDIUM | 6.5 | 2025-02-04 | The DSGVO All in one for WP plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.6. This is due to missing or incorrect nonce v… |
| CVE-2025-14947 | MEDIUM | 6.5 | 2026-01-23 | The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_callback_create_bunny_stream_vi… |
| CVE-2020-11030 | MEDIUM | 6.4 | 2020-04-30 | In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authent… |
| CVE-2023-4919 | MEDIUM | 6.4 | 2023-10-20 | The iframe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `iframe` shortcode in versions up to, and including, 4.6 due to insufficient input sanitizatio… |
| CVE-2024-1496 | MEDIUM | 6.4 | 2024-02-29 | The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the fifu_input_url parameter in all versions up to, and including, 4.6.2 d… |
| CVE-2023-6500 | MEDIUM | 6.4 | 2024-03-21 | The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shariff' shortcode in all versions up to, and including, 4.6.9 due to insuf… |
| CVE-2024-0966 | MEDIUM | 6.4 | 2024-03-21 | The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shariff' shortcode in all versions up to, and including, 4.6.9 due to insuf… |
| CVE-2024-1450 | MEDIUM | 6.4 | 2024-03-21 | The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shariff' shortcode in all versions up to, and including, 4.6.10 due to insu… |
| CVE-2024-2347 | MEDIUM | 6.4 | 2024-04-09 | The Astra theme for WordPress is vulnerable to Stored Cross-Site Scripting via a user's display name in all versions up to, and including, 4.6.8 due to insufficient input sanitiza… |
| CVE-2024-1572 | MEDIUM | 6.4 | 2024-05-02 | The WP ULike plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp_ulike' shortcode in all versions up to, and including, 4.6.9 due to insufficien… |
| CVE-2024-1759 | MEDIUM | 6.4 | 2024-05-02 | The WP ULike – Most Advanced WordPress Marketing Toolkit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a user's display name in all versions up to, and inc… |
| CVE-2024-3554 | MEDIUM | 6.4 | 2024-05-02 | The All in One SEO – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's … |
| CVE-2024-2695 | MEDIUM | 6.4 | 2024-06-15 | The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shariff' shortcode in all versions up to, and including, 4.6.13 due to insu… |
| CVE-2024-10885 | MEDIUM | 6.4 | 2024-12-04 | The SearchIQ – The Search Solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'siq_searchbox' shortcode in all versions up to, and includin… |
| CVE-2024-11781 | MEDIUM | 6.4 | 2024-12-12 | The Smart Agenda – Prise de rendez-vous en ligne plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'smartagenda' shortcode in all versions up to, … |
| CVE-2024-12593 | MEDIUM | 6.4 | 2025-01-15 | The PDF for WPForms + Drag and Drop Template Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's yeepdf_dotab shortcode in all versions up t… |
| CVE-2025-4594 | MEDIUM | 6.4 | 2025-05-23 | The Tournamatch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'trn-ladder-registration-button' shortcode in all versions up to, and including,… |
| CVE-2026-4334 | MEDIUM | 6.4 | 2026-05-28 | The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'headline' parameter in the [shariff] shortcode in all versions up to, and including,… |
| CVE-2016-7169 | MEDIUM | 6.3 | 2017-01-05 | Directory traversal vulnerability in the File_Upload_Upgrader class in wp-admin/includes/class-file-upload-upgrader.php in the upgrade package uploader in WordPress before 4.6.1 a… |
| CVE-2021-4335 | MEDIUM | 6.3 | 2023-10-20 | The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized access to data and modification of plugin settings due to a missing capability check on multiple AJAX… |
| CVE-2021-4446 | MEDIUM | 6.3 | 2024-10-16 | The Essential Addons for Elementor plugin for WordPress is vulnerable to authorization bypass in versions up to and including 4.6.4 due to missing capability checks and nonce disc… |
| CVE-2024-9628 | MEDIUM | 6.3 | 2024-10-25 | The WPS Telegram Chat plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'Wps_Telegram_Chat_Admin::c… |
| CVE-2018-6001 | MEDIUM | 6.1 | 2018-01-22 | The Soundy Audio Playlist plugin 4.6 and below for WordPress has Cross-Site Scripting via soundy-audio-playlist\templates\front-end.php (war_sdy_pl_preview parameter). |
| CVE-2017-18522 | MEDIUM | 6.1 | 2019-08-20 | The eelv-newsletter plugin before 4.6.1 for WordPress has XSS in the address book. |
| CVE-2020-8436 | MEDIUM | 6.1 | 2020-03-12 | XSS was discovered in the RegistrationMagic plugin 4.6.0.0 for WordPress via the rm_form_id, rm_tr, or form_name parameter. |
| CVE-2020-11027 | MEDIUM | 6.1 | 2020-04-30 | In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password. Access would be needed to the email account of the user… |
| CVE-2021-24234 | MEDIUM | 6.1 | 2021-04-22 | The Search Forms page of the Ivory Search WordPress lugin before 4.6.1 did not properly sanitise the tab parameter before output it in the page, leading to a reflected Cross-Site … |
| CVE-2023-3118 | MEDIUM | 6.1 | 2023-07-10 | The Export All URLs WordPress plugin before 4.6 does not sanitise and escape a parameter before outputting them back in the page, leading to a Reflected Cross-Site Scripting which… |
| CVE-2023-4270 | MEDIUM | 6.1 | 2023-09-11 | The Min Max Control WordPress plugin before 4.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which c… |
| CVE-2024-1106 | MEDIUM | 6.1 | 2024-02-27 | The Shariff Wrapper WordPress plugin before 4.6.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-… |
| CVE-2024-3368 | MEDIUM | 6.1 | 2024-05-20 | The All in One SEO WordPress plugin before 4.6.1.1 does not validate and escape some of its Post fields before outputting them back, which could allow users with the contributor … |
| CVE-2023-6813 | MEDIUM | 6.1 | 2024-07-10 | The Login by Auth0 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘wle’ parameter in all versions up to, and including, 4.6.0 due to insufficient inp… |
| CVE-2024-12323 | MEDIUM | 6.1 | 2024-12-10 | The turboSMTP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘page’ parameter in all versions up to, and including, 4.6 due to insufficient input san… |
| CVE-2024-12279 | MEDIUM | 6.1 | 2025-01-04 | The WP Social AutoConnect plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.6.2. This is due to missing or incorrect nonce v… |
| CVE-2025-12123 | MEDIUM | 6.1 | 2025-11-27 | The Customer Reviews Collector for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'email-text' parameter in all versions up to, and inclu… |
| CVE-2020-11025 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires … |
| CVE-2020-11028 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been pat… |
| CVE-2020-11029 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been… |
| CVE-2020-4048 | MEDIUM | 5.7 | 2020-06-12 | In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect wh… |
| CVE-2019-14787 | MEDIUM | 5.4 | 2019-08-09 | The Tribulant Newsletters plugin before 4.6.19 for WordPress allows XSS via the wp-admin/admin-ajax.php?action=newsletters_load_new_editor contentarea parameter. |
| CVE-2020-4046 | MEDIUM | 5.4 | 2020-06-12 | In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor… |
| CVE-2021-34650 | MEDIUM | 5.4 | 2021-09-20 | The eID Easy WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the error parameter found in the ~/admin.php file which allows attackers to inject arbitrary web … |
| CVE-2022-4658 | MEDIUM | 5.4 | 2023-01-16 | The RSSImport WordPress plugin through 4.6.1 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Sto… |
| CVE-2022-4672 | MEDIUM | 5.4 | 2023-01-23 | The WordPress Simple Shopping Cart WordPress plugin before 4.6.2 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could… |
| CVE-2023-0551 | MEDIUM | 5.4 | 2023-08-16 | The REST API TO MiniProgram WordPress plugin through 4.6.1 does not have authorisation and CSRF checks in an AJAX action, allowing ay authenticated users, such as subscriber to ca… |
| CVE-2023-48754 | MEDIUM | 5.4 | 2023-11-30 | Cross-Site Request Forgery (CSRF) vulnerability in Wap Nepal Delete Post Revisions In WordPress allows Cross Site Request Forgery.This issue affects Delete Post Revisions In WordP… |
| CVE-2024-5627 | MEDIUM | 5.4 | 2024-07-13 | The Tournamatch WordPress plugin before 4.6.1 does not sanitise and escape some parameters, which could allow users with a role as low as subscriber to perform Cross-Site Scriptin… |
| CVE-2024-5644 | MEDIUM | 5.4 | 2024-07-13 | The Tournamatch WordPress plugin before 4.6.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site … |
| CVE-2024-9630 | MEDIUM | 5.4 | 2024-10-25 | The WPS Telegram Chat plugin for WordPress is vulnerable to authorization bypass due to a missing capability check when accessing messages in versions up to, and including, 4.6.0.… |
| CVE-2024-12308 | MEDIUM | 5.4 | 2025-02-24 | The Logo Slider WordPress plugin before 4.6.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embe… |
| CVE-2023-1431 | MEDIUM | 5.3 | 2023-03-16 | The WP Simple Shopping Cart plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.6.3 due to the plugin saving shopping cart dat… |
| CVE-2024-9065 | MEDIUM | 5.3 | 2024-10-10 | The WP Helper Premium plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'whp_smtp_send_mail_test' function in all ve… |
| CVE-2020-36841 | MEDIUM | 5.3 | 2024-10-16 | The WooCommerce Smart Coupons plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the woocommerce_coupon_admin_init function in version… |
| CVE-2025-8620 | MEDIUM | 5.3 | 2025-08-06 | The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.6.0. This makes it possibl… |
| CVE-2024-32111 | MEDIUM | 5.0 | 2024-06-25 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Automattic WordPress allows Relative Path Traversal.This issue affects WordPress: f… |
| CVE-2016-7168 | MEDIUM | 4.8 | 2017-01-05 | Cross-site scripting (XSS) vulnerability in the media_handle_upload function in wp-admin/includes/media.php in WordPress before 4.6.1 might allow remote attackers to inject arbitr… |
| CVE-2018-13832 | MEDIUM | 4.8 | 2018-07-16 | Multiple Persistent cross-site scripting (XSS) issues in the Techotronic all-in-one-favicon (aka All In One Favicon) plugin 4.6 for WordPress allow remote attackers to inject arbi… |
| CVE-2021-36869 | MEDIUM | 4.8 | 2021-10-21 | Reflected Cross-Site Scripting (XSS) vulnerability in WordPress Ivory Search plugin (versions <= 4.6.6). Vulnerable parameter: &post. |
| CVE-2023-3175 | MEDIUM | 4.8 | 2023-07-10 | The AI ChatBot WordPress plugin before 4.6.1 does not adequately escape some settings, allowing high-privilege users such as admin to perform Cross-Site Scripting attacks even whe… |
| CVE-2023-34013 | MEDIUM | 4.4 | 2023-11-13 | Server-Side Request Forgery (SSRF) vulnerability in Poll Maker Team Poll Maker – Best WordPress Poll Plugin.This issue affects Poll Maker – Best WordPress Poll Plugin: from n/a th… |
| CVE-2026-1381 | MEDIUM | 4.4 | 2026-01-28 | The Order Minimum/Maximum Amount Limits for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 4.6.8 … |
| CVE-2016-10148 | MEDIUM | 4.3 | 2017-01-18 | The wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 makes a get_plugin_data call before checking the update_plugins capability, which … |
| CVE-2020-9455 | MEDIUM | 4.3 | 2020-03-06 | The RegistrationMagic plugin through 4.6.0.3 for WordPress allows remote authenticated users (with minimal privileges) to send arbitrary emails on behalf of the site via class_rm_… |
| CVE-2023-3126 | MEDIUM | 4.3 | 2023-06-07 | The B2BKing plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'b2bkingdownloadpricelist' function in versions up to, and i… |
| CVE-2023-39999 | MEDIUM | 4.3 | 2023-10-13 | Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 thr… |
| CVE-2024-1642 | MEDIUM | 4.3 | 2024-03-13 | The MainWP Dashboard – WordPress Manager for Multiple Websites Maintenance plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, … |
| CVE-2023-6243 | MEDIUM | 4.3 | 2024-10-19 | The EventON PRO - WordPress Virtual Event Calendar Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.6.8. This is due… |
| CVE-2023-41951 | MEDIUM | 4.3 | 2024-12-13 | Missing Authorization vulnerability in rtCamp rtMedia for WordPress, BuddyPress and bbPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affe… |
| CVE-2025-15516 | MEDIUM | 4.3 | 2026-01-24 | The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_callback_store_user_meta() funct… |
| CVE-2020-4050 | LOW | 3.5 | 2020-06-12 | In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plu… |
| CVE-2025-3650 | LOW | 3.5 | 2025-09-12 | The jQuery Colorbox WordPress plugin through 4.6.3 uses the colorbox library, which does not sanitize title attributes on links before using them, allowing users with at least the… |
| CVE-2020-4049 | LOW | 2.4 | 2020-06-12 | In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes p… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
Running WordPress 4.6 in 2024 is like leaving your front door unlocked while advertising your address on social media. The 111 vulnerabilities we've identified represent real, exploitable weaknesses that hackers actively target. The good news is that upgrading to a modern WordPress version is straightforward and will dramatically improve your security posture overnight. Don't wait for a breach to force your hand—take action today and reclaim control of your website's security.
SiteRecipe.com makes WordPress security simple and automatic. Our platform continuously scans your website for vulnerabilities, identifies outdated software, and provides one-click remediation for most security issues. Whether you need help upgrading from WordPress 4.6 or want ongoing protection for your current installation, SiteRecipe.com has you covered. Start your free security audit today and get peace of mind knowing your WordPress site is protected.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.