WordPress 4.6.1 is an outdated version with significant security vulnerabilities that put your website at serious risk. Our analysis found 38 confirmed CVEs affecting this version, including 3 critical vulnerabilities that could allow attackers to take complete control of your site. If your website is still running this older version, you're exposed to remote code execution, SQL injection, and file inclusion attacks that hackers actively exploit.
With 115 websites still using WordPress 4.6.1, this is a widespread security concern. The vulnerabilities are well-documented and easily exploitable, making your site an attractive target. This guide will help you identify if you're vulnerable and walk you through the steps to secure your WordPress installation immediately.
WordPress 4.6.1 was released in 2016 as a minor security update to the WordPress content management system. It's the software that powers over 43% of all websites on the internet. Think of WordPress as the foundation of your website—it manages your content, handles user access, and connects all your plugins and themes together. When your WordPress version becomes outdated, it's like leaving your front door unlocked while security flaws are publicly known.
This version is now over 8 years old and has been superseded by dozens of updates. WordPress regularly releases security patches to fix vulnerabilities, but these only work if you're running a current version. Running WordPress 4.6.1 means you're missing years of security improvements and bug fixes. Even worse, the plugins you use on this old version likely have their own vulnerabilities, creating multiple layers of risk that attackers can exploit.
38 CVEs found. The most critical are explained below.
The WPML plugin has a serious flaw that lets attackers with login access run malicious code on your website. This happens because the plugin doesn't properly check what users are entering into certain forms.
Impact: An attacker could take complete control of your website, steal customer data, install malware, or shut down your site entirely.
↗ View on NVDThe Nex Forms plugin contains a SQL injection vulnerability that allows attackers to directly access your website's database without proper authentication. This happens because the plugin accepts user input without validating it first.
Impact: Hackers could steal sensitive information like customer names, emails, and passwords, or modify/delete critical business data.
↗ View on NVDThe Shariff Wrapper plugin has a flaw that allows anyone (even without a login) to access files on your server and run code. An attacker can use this to install backdoors or steal your data.
Impact: Your entire website and server could be compromised, potentially affecting all customer data and website functionality.
↗ View on NVDThe Tribulant Newsletters plugin allows attackers to access files outside their intended directories and execute code on your server. This happens through a path traversal vulnerability in the export function.
Impact: Attackers could access confidential files, install malware, steal subscriber lists, or gain full control of your website.
↗ View on NVDThe eelv-newsletter plugin is missing protection against CSRF attacks, which means attackers can trick logged-in users into performing unwanted actions like modifying address books without their knowledge.
Impact: Your mailing lists and subscriber data could be altered or deleted by attackers impersonating legitimate users.
↗ View on NVDThe rtMedia plugin doesn't properly check files before allowing them to be uploaded. This means even low-level users can upload dangerous files like PHP scripts that can execute code on your server.
Impact: Attackers could upload and run malicious code to compromise your website, steal data, or disrupt your services.
↗ View on NVDShowing first 10 of 32. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2024-3293 | HIGH | 8.8 | 2024-04-23 | The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to blind SQL Injection via the rtmedia_gallery shortcode in all versions up to, and including,… |
| CVE-2024-2386 | HIGH | 8.8 | 2024-06-29 | The WordPress Plugin for Google Maps – WP MAPS plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter of the 'put_wpgm' shortcode in all versions up to, and in… |
| CVE-2020-11026 | HIGH | 8.7 | 2020-04-30 | In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an au… |
| CVE-2023-5939 | HIGH | 7.2 | 2023-12-26 | The rtMedia for WordPress, BuddyPress and bbPress WordPress plugin before 4.6.16 loads the contents of the import file in an unsafe manner, leading to remote code execution by pri… |
| CVE-2020-4047 | MEDIUM | 6.8 | 2020-06-12 | In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way.… |
| CVE-2020-11030 | MEDIUM | 6.4 | 2020-04-30 | In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authent… |
| CVE-2024-1450 | MEDIUM | 6.4 | 2024-03-21 | The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shariff' shortcode in all versions up to, and including, 4.6.10 due to insu… |
| CVE-2024-2695 | MEDIUM | 6.4 | 2024-06-15 | The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shariff' shortcode in all versions up to, and including, 4.6.13 due to insu… |
| CVE-2025-4594 | MEDIUM | 6.4 | 2025-05-23 | The Tournamatch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'trn-ladder-registration-button' shortcode in all versions up to, and including,… |
| CVE-2016-7169 | MEDIUM | 6.3 | 2017-01-05 | Directory traversal vulnerability in the File_Upload_Upgrader class in wp-admin/includes/class-file-upload-upgrader.php in the upgrade package uploader in WordPress before 4.6.1 a… |
| CVE-2017-18522 | MEDIUM | 6.1 | 2019-08-20 | The eelv-newsletter plugin before 4.6.1 for WordPress has XSS in the address book. |
| CVE-2020-11027 | MEDIUM | 6.1 | 2020-04-30 | In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password. Access would be needed to the email account of the user… |
| CVE-2021-24234 | MEDIUM | 6.1 | 2021-04-22 | The Search Forms page of the Ivory Search WordPress lugin before 4.6.1 did not properly sanitise the tab parameter before output it in the page, leading to a reflected Cross-Site … |
| CVE-2024-1106 | MEDIUM | 6.1 | 2024-02-27 | The Shariff Wrapper WordPress plugin before 4.6.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-… |
| CVE-2024-3368 | MEDIUM | 6.1 | 2024-05-20 | The All in One SEO WordPress plugin before 4.6.1.1 does not validate and escape some of its Post fields before outputting them back, which could allow users with the contributor … |
| CVE-2025-12123 | MEDIUM | 6.1 | 2025-11-27 | The Customer Reviews Collector for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'email-text' parameter in all versions up to, and inclu… |
| CVE-2020-11025 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires … |
| CVE-2020-11028 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been pat… |
| CVE-2020-11029 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been… |
| CVE-2020-4048 | MEDIUM | 5.7 | 2020-06-12 | In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect wh… |
| CVE-2019-14787 | MEDIUM | 5.4 | 2019-08-09 | The Tribulant Newsletters plugin before 4.6.19 for WordPress allows XSS via the wp-admin/admin-ajax.php?action=newsletters_load_new_editor contentarea parameter. |
| CVE-2020-4046 | MEDIUM | 5.4 | 2020-06-12 | In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor… |
| CVE-2022-4658 | MEDIUM | 5.4 | 2023-01-16 | The RSSImport WordPress plugin through 4.6.1 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Sto… |
| CVE-2023-0551 | MEDIUM | 5.4 | 2023-08-16 | The REST API TO MiniProgram WordPress plugin through 4.6.1 does not have authorisation and CSRF checks in an AJAX action, allowing ay authenticated users, such as subscriber to ca… |
| CVE-2024-5627 | MEDIUM | 5.4 | 2024-07-13 | The Tournamatch WordPress plugin before 4.6.1 does not sanitise and escape some parameters, which could allow users with a role as low as subscriber to perform Cross-Site Scriptin… |
| CVE-2024-5644 | MEDIUM | 5.4 | 2024-07-13 | The Tournamatch WordPress plugin before 4.6.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site … |
| CVE-2024-9065 | MEDIUM | 5.3 | 2024-10-10 | The WP Helper Premium plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'whp_smtp_send_mail_test' function in all ve… |
| CVE-2016-7168 | MEDIUM | 4.8 | 2017-01-05 | Cross-site scripting (XSS) vulnerability in the media_handle_upload function in wp-admin/includes/media.php in WordPress before 4.6.1 might allow remote attackers to inject arbitr… |
| CVE-2023-3175 | MEDIUM | 4.8 | 2023-07-10 | The AI ChatBot WordPress plugin before 4.6.1 does not adequately escape some settings, allowing high-privilege users such as admin to perform Cross-Site Scripting attacks even whe… |
| CVE-2023-41951 | MEDIUM | 4.3 | 2024-12-13 | Missing Authorization vulnerability in rtCamp rtMedia for WordPress, BuddyPress and bbPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affe… |
| CVE-2020-4050 | LOW | 3.5 | 2020-06-12 | In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plu… |
| CVE-2020-4049 | LOW | 2.4 | 2020-06-12 | In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes p… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
Securing WordPress 4.6.1 isn't optional—it's essential for protecting your website, your users' data, and your business reputation. The 3 critical vulnerabilities we identified can give attackers complete control of your site, allowing them to steal data, inject malware, or use your server for criminal purposes. By updating to the latest WordPress version and patching all vulnerable plugins, you eliminate the vast majority of these risks.
Don't wait until your site is compromised. SiteRecipe.com provides fast, comprehensive vulnerability scanning that instantly identifies which CVEs affect your WordPress installation and recommends specific fixes. Start your free security scan today and take control of your website's safety. Your future self will thank you when you're not dealing with a hacked site or data breach.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.