Home Plans Products
Tools
Technology Trends Keyword Lists Browser Extensions
Features
Lead Generation Market Analysis Sales Intelligence
Resources
FAQ About Contact Blog
Account
Login Sign up
Home / Blog / wordpress 4.6.4
Security Advisory

WordPress 4.6.4 Security: 6 Critical CVEs Explained

📅 June 07, 2026 ·⏱ 5 min read ·🔒 SiteRecipe Security Team
5 websites still running wordpress 4.6.4  → View full list
6
Total
3
High
3
Medium

WordPress 4.6.4, released in 2016, is an older version still running on 5 websites worldwide. This version contains 6 documented security vulnerabilities, including 3 high-severity flaws that could allow attackers to inject malicious code, escalate privileges, and modify data without authorization. If your website is still using WordPress 4.6.4, you're at significant risk of compromise.

In this comprehensive guide, we'll explain what these vulnerabilities are, how to check if you're affected, and the exact steps to secure your WordPress installation. Whether you're a website owner or administrator, understanding these risks is essential for protecting your site and your visitors' data.

What is Wordpress 4.6.4?

WordPress 4.6.4 is a maintenance release from September 2016 designed to fix bugs and improve stability in the WordPress content management system. At the time of release, it was considered secure, but eight years of security research has since discovered multiple vulnerabilities in plugins commonly used with this version. WordPress 4.6.4 includes the core WordPress software and a default installation, but many site owners extend functionality with third-party plugins.

Think of WordPress like a smartphone operating system—the core system (WordPress 4.6.4) needs to stay updated, but the apps you install (plugins) also need security patches. When either falls behind, your entire system becomes vulnerable. The 6 vulnerabilities in WordPress 4.6.4 primarily affect popular plugins like WP Activity Log, Essential Addons for Elementor, and All-in-One Video Gallery, making this version particularly risky for active websites.

Key Vulnerabilities in Wordpress 4.6.4

6 CVEs found. The most critical are explained below.

HIGH CVE-2017-18547 8.8/10 · CVSS v3.0 ⏱ Within 7 days
Nelio A/B Testing Plugin - Unauthorized Form Changes

This vulnerability allows attackers to trick administrators into making unwanted changes to A/B testing experiments without their knowledge. The plugin doesn't properly verify that form submissions actually come from authorized users.

Impact: Attackers could modify your A/B testing experiments, potentially directing traffic incorrectly or disrupting your marketing campaigns and data collection.

↗ View on NVD
HIGH CVE-2024-2018 8.8/10 · CVSS v3.1 ⏱ Immediate
WP Activity Log - Database Hacking Vulnerability

This is a serious database vulnerability where attackers can inject malicious code into search parameters. The plugin doesn't properly filter what users type into the activity log search feature, allowing hackers to access your entire database.

Impact: An attacker could steal sensitive information like usernames, passwords, and customer data from your WordPress database, or modify/delete critical information.

↗ View on NVD
HIGH CVE-2021-4447 8.8/10 · CVSS v3.1 ⏱ Immediate
Essential Addons - Unauthorized Admin Access

This plugin allows users with very basic access (like regular subscribers) to create registration forms and assign admin roles without restrictions. Attackers could promote themselves to administrator status.

Impact: A hacker could gain full administrative control of your website, allowing them to steal data, install malware, or take your site offline completely.

↗ View on NVD
MEDIUM CVE-2025-14947 6.5/10 · CVSS v3.1 ⏱ Within 7 days
Video Gallery Plugin - Unauthorized Video Management

The Video Gallery plugin doesn't properly check user permissions before allowing modifications to video content. Unauthorized users could create, view, or delete videos stored in your gallery.

Impact: Users could add malicious content to your video gallery, delete important videos, or access video files they shouldn't be able to see.

↗ View on NVD
MEDIUM CVE-2021-4446 6.3/10 · CVSS v3.1 ⏱ Within 7 days
Essential Addons - Subscriber Permission Bypass

The plugin doesn't adequately verify user permissions and exposes security tokens. This allows low-level users (subscribers) to perform actions that should only be available to administrators.

Impact: Basic site users could perform administrative tasks they shouldn't have access to, potentially modifying site settings or accessing sensitive features.

↗ View on NVD
MEDIUM CVE-2025-15516 4.3/10 · CVSS v3.1 ⏱ Within 30 days
Video Gallery Plugin - User Data Manipulation

The Video Gallery plugin doesn't check if users have permission before allowing them to modify user profile information. Subscribers could alter their own or other users' data.

Impact: Users could modify account information, escalate their own permissions, or tamper with other users' profiles and metadata.

↗ View on NVD

Is your website running Wordpress 4.6.4?

Scan your site in 30 seconds. Used by 500+ web agencies.

Scan my website — free 📋 See all 5 affected sites

How to Check If Your Website Is Affected

How to Fix These Vulnerabilities

Conclusion

WordPress 4.6.4 contains serious security vulnerabilities that expose your website to SQL injection attacks, privilege escalation, and unauthorized data modification. The good news is that updating to a modern WordPress version eliminates all these risks and provides access to new features and performance improvements. Every day your site runs outdated software increases the likelihood of successful attacks.

Don't let your website become a target. Use SiteRecipe.com's vulnerability scanner to identify security issues across your entire WordPress installation, including outdated versions and vulnerable plugins. Our platform provides detailed remediation guidance, automated update recommendations, and continuous monitoring to keep your site secure. Start your free security audit today and protect what matters most.

Frequently Asked Questions

Is WordPress 4.6.4 still supported?
No. WordPress 4.6.4 reached end-of-life in 2016 and no longer receives security updates. Continuing to use it exposes your site to known vulnerabilities that attackers actively exploit. WordPress 6.0+ receives regular security patches and is considered safe.
What's the risk if I don't update immediately?
Attackers use automated tools to scan the internet for outdated WordPress versions. The documented CVEs in 4.6.4 provide them with roadmaps for compromise. A hacked site can steal visitor data, spread malware, damage your reputation, and result in blacklisting by search engines.
Will updating WordPress break my website?
Most updates are seamless, but compatibility issues can occur with very old plugins. That's why backing up and testing on a staging environment first is crucial. Your hosting provider can help create a staging copy where you can safely test updates before applying them to your live site.
What if I have custom code or heavily modified WordPress?
SiteRecipe.com's security team can audit your specific configuration and provide a customized upgrade plan. We identify which customizations need updates and help prioritize them by risk level, minimizing disruption while maximizing security.

Generate white-label reports for your clients

Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.

Free scan Agency plans 📋 5 affected sites
DISCLAIMER: This report is based on publicly available CVE data from the National Vulnerability Database (NVD) maintained by NIST. Detection of a technology version does not confirm active exploitation on any specific website. For informational purposes only. SiteRecipe is not responsible for actions taken based on this report. Always consult a qualified security professional.

Source: nvd.nist.gov · Published: June 07, 2026 · SiteRecipe.com