    Home /
    Blog /
    wordpress 4.6.9
  

Security Advisory

WordPress 4.6.9: 9 Critical Security Vulnerabilities Explained

    📅 June 07, 2026
    ·⏱ 5 min read
    ·🔒 SiteRecipe Security Team
  

⚠ 2 websites still running wordpress 4.6.9 → View full list

Total

Critical

High

Medium

WordPress 4.6.9 contains a dangerous combination of security vulnerabilities that put your website at serious risk. With 1 critical vulnerability and 3 high-severity flaws, attackers can execute malicious code, steal sensitive data, and compromise your entire site. Only 2 websites are currently running this outdated version, but if yours is one of them, immediate action is required.

This guide walks you through identifying if you're vulnerable, understanding the specific threats, and implementing the security fixes that will protect your WordPress installation. Whether you're a beginner or experienced administrator, we'll help you secure your site step-by-step.

What is Wordpress 4.6.9?

WordPress 4.6.9 is an older version of WordPress, the world's most popular website platform. Released years ago, this version powers thousands of websites built with WordPress's flexible page-building and content management system. If your site still runs on 4.6.9, it's using outdated code that security experts have since identified as vulnerable to multiple attacks.

Think of WordPress versions like security updates for your home—newer versions patch holes that hackers have discovered and learned to exploit. Running 4.6.9 means you're using a version from before these security patches were applied, leaving multiple entry points for cybercriminals to infiltrate your website, steal customer data, or inject malware.

Key Vulnerabilities in Wordpress 4.6.9

9 CVEs found. The most critical are explained below.

CRITICAL CVE-2021-24370 9.8/10 · CVSS v3.1 ⏱ Immediate

Fancy Product Designer - Attackers Can Upload Harmful Files

This is a critical security flaw in the Fancy Product Designer plugin that allows hackers to upload malicious files to your website without even logging in. Once uploaded, these files can take over your entire website and steal your data.

Impact: Hackers could gain complete control of your website, steal customer information, inject malware, or use your site to attack other websites.

↗ View on NVD

HIGH CVE-2021-4334 8.8/10 · CVSS v3.1 ⏱ Within 7 days

Fancy Product Designer - Low-Level Users Can Change Settings

The plugin fails to properly check user permissions, allowing even basic subscriber accounts to modify important website settings they shouldn't have access to. This is like leaving the keys to your settings cabinet accessible to interns.

Impact: Disgruntled employees or hacked subscriber accounts could change your site configuration, disable features, or modify how your website functions.

↗ View on NVD

HIGH CVE-2024-1797 8.8/10 · CVSS v3.1 ⏱ Within 7 days

WP ULike - Database Vulnerability Through Shortcodes

The WP ULike plugin has a weakness in its shortcodes that allows attackers to inject malicious commands into your website database. These commands can extract sensitive information or corrupt your data.

Impact: Attackers could access your customer database, steal login credentials, or manipulate your website's content and settings.

↗ View on NVD

HIGH CVE-2023-3813 7.5/10 · CVSS v3.1 ⏱ Immediate

Jupiter X Core - Unauthorized File Download Access

The Jupiter X Core plugin allows unauthenticated attackers to download files from your server, including configuration files containing passwords and sensitive data. Anyone on the internet could potentially access these files.

Impact: Hackers could obtain database credentials, API keys, and other confidential information needed to compromise your entire website.

↗ View on NVD

MEDIUM CVE-2023-6500 6.4/10 · CVSS v3.1 ⏱ Within 30 days

Shariff Wrapper - Malicious Code Injection via Colors

The Shariff Wrapper plugin doesn't properly validate color settings in its sharing buttons, allowing attackers to inject harmful code that runs on your website pages.

Impact: Attackers could inject malware, steal visitor data, redirect users to phishing sites, or deface your website content.

↗ View on NVD

MEDIUM CVE-2024-0966 6.4/10 · CVSS v3.1 ⏱ Within 30 days

Shariff Wrapper - Malicious Code Injection via Text

Similar to the color vulnerability, this flaw allows attackers to inject harmful code through the plugin's text settings, bypassing security checks.

Impact: Attackers could inject malware, deface your website, steal customer data, or compromise visitor security.

↗ View on NVD

Additional Vulnerabilities (3 more)

Showing first 10 of 3. View all on NVD ↗

CVE ID	Severity	Score	Published	Description
CVE-2024-1572	MEDIUM	6.4	2024-05-02	The WP ULike plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp_ulike' shortcode in all versions up to, and including, 4.6.9 due to insufficien…
CVE-2024-1759	MEDIUM	6.4	2024-05-02	The WP ULike – Most Advanced WordPress Marketing Toolkit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a user's display name in all versions up to, and inc…
CVE-2021-4335	MEDIUM	6.3	2023-10-20	The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized access to data and modification of plugin settings due to a missing capability check on multiple AJAX…

          Full Report Available
        

All 9 CVEs with AI explanations + fix guide

Plain English · Fix recommendations · Instant PDF & HTML download

⬇ Get Full Report

          PDF + HTML · Instant download
        

Is your website running Wordpress 4.6.9?

Scan your site in 30 seconds. Used by 500+ web agencies.

Scan my website — free 📋 See all 2 affected sites

How to Check If Your Website Is Affected

1 Log into your WordPress admin dashboard and go to the 'Dashboard' menu on the left sidebar
2 Look at the top of the page near 'At a Glance'—you'll see your WordPress version number displayed (e.g., 'Version 4.6.9')
3 If you see version 4.6.9 or any number between 4.0 and 4.6.9, your site is vulnerable and needs immediate updating

How to Fix These Vulnerabilities

1 Create a complete backup of your entire WordPress website using a backup plugin like UpdraftPlus or your hosting provider's backup tool—save this backup to a secure location offline
2 Go to Dashboard > Updates in your WordPress admin and click 'Update Now' to upgrade to the latest stable WordPress version (currently 6.4 or newer)
3 After updating WordPress, go to Plugins and update all your installed plugins, especially Fancy Product Designer, WP ULike, Jupiter X Core, and Shariff Wrapper if you have them installed
4 Test your website thoroughly to ensure all pages load correctly, forms work properly, and no features are broken after the update

Conclusion

Upgrading from WordPress 4.6.9 is not optional—it's essential for protecting your website, your customers' data, and your business reputation. The 9 vulnerabilities in this version create multiple attack vectors that hackers actively exploit. By following the fix guide above, you can eliminate these threats and move to a secure, modern WordPress installation within minutes.

Don't leave your site exposed to preventable attacks. SiteRecipe.com continuously monitors WordPress versions and identifies security vulnerabilities affecting your site. Use our free security scanner to detect vulnerabilities instantly, get step-by-step remediation guidance, and receive alerts when new threats emerge. Protect your WordPress site today—visit SiteRecipe.com now.

Frequently Asked Questions

What happens if I don't update from WordPress 4.6.9?

Hackers can exploit the critical file upload vulnerability to inject malicious code and take complete control of your website. They can steal customer data, inject spam or malware, deface your site, or use it to attack other websites. Your hosting provider may also suspend your account if it's compromised.

Will updating WordPress break my website or plugins?

Modern WordPress updates are designed to be backward compatible. However, very old plugins may need updating too. That's why we recommend backing up first, then updating WordPress and all plugins. If something breaks, you can restore from your backup while you troubleshoot.

Is WordPress 4.6.9 still supported by WordPress.org?

No, WordPress 4.6.9 is years out of support and no longer receives security patches. WordPress currently supports only the latest version and a few recent versions. Running 4.6.9 means you're completely cut off from official security updates and support.

How long does it take to update from 4.6.9 to the latest version?

The actual update process usually takes 2-5 minutes. However, you should add 15-30 minutes for creating a backup beforehand and testing your site after the update. Total time investment is typically under one hour for the complete secure upgrade.

Can SiteRecipe.com help me identify if my site has these vulnerabilities?

Yes, SiteRecipe.com's free security scanner instantly detects your WordPress version and identifies all known vulnerabilities affecting your installation. It also recommends specific fixes and monitors your site continuously for emerging threats.

Generate white-label reports for your clients

Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.

Free scan Agency plans 📋 2 affected sites

DISCLAIMER: This report is based on publicly available CVE data from the National Vulnerability Database (NVD) maintained by NIST. Detection of a technology version does not confirm active exploitation on any specific website. For informational purposes only. SiteRecipe is not responsible for actions taken based on this report. Always consult a qualified security professional.

Source: nvd.nist.gov · Published: June 07, 2026 · SiteRecipe.com