WordPress 4.7 was released in December 2016, but security researchers have since discovered 117 vulnerabilities in this version—including 7 critical flaws that could allow attackers to take over your website entirely. If you're still running WordPress 4.7, your site is at serious risk of SQL injection attacks, unauthorized file uploads, and privilege escalation exploits. This guide will help you identify whether you're vulnerable and walk you through the critical steps to secure your WordPress installation today.
The most alarming aspect of WordPress 4.7's vulnerabilities is that many don't require attackers to be logged in—they can exploit your site remotely, meaning every unpatched WordPress 4.7 installation is a potential target. With 12 websites still running this outdated version, attackers are actively scanning for vulnerable sites. The good news is that fixing this problem is straightforward, and we'll show you exactly how.
WordPress 4.7 is an older version of the world's most popular website platform, originally released in late 2016. It was designed to help bloggers, small business owners, and content creators build websites without needing to write code. Like all software, WordPress 4.7 received security updates when vulnerabilities were discovered, but once a version reaches end-of-life status, it no longer receives patches. This means any security flaws discovered afterward remain open doors for hackers.
Think of WordPress 4.7 like an older car model—it may still run, but manufacturers have stopped making safety improvements. Every day you continue using WordPress 4.7, you're gambling with your website's security. The 117 documented vulnerabilities in this version range from SQL injection (allowing attackers to steal your database) to arbitrary file uploads (letting hackers install malware). These aren't theoretical risks; they're actively exploited vulnerabilities that criminals search for on the internet.
117 CVEs found. The most critical are explained below.
A flaw in WordPress 4.7.0 and 4.7.1 allows hackers to directly access and manipulate your website's database through certain plugins or themes. This happens when these add-ons don't properly validate the names of content types they create. Attackers can use this to steal, delete, or modify all your website data.
Impact: A hacker could steal all your customer data, passwords, and content, or completely corrupt your database making your site non-functional. This could lead to data breaches, identity theft of your customers, and significant downtime.
↗ View on NVDThe Search Everything plugin versions before 8.1.7 have a database vulnerability similar to the WordPress 4.7 issue. If you're using this plugin, attackers can inject harmful commands directly into your site's database through the search feature.
Impact: Attackers can steal sensitive data, modify website content, or take complete control of your WordPress site and its database.
↗ View on NVDThe Malware Scanner and Web Application Firewall plugins from MiniOrange have a flaw that lets attackers bypass security restrictions. They can trick the plugin into thinking they have administrator permissions when they don't, giving them full control of your site.
Impact: An attacker could take over your entire WordPress admin account, install malware, steal all data, or lock you out of your own website.
↗ View on NVDThe REST API TO MiniProgram plugin has a vulnerability that allows attackers to hijack user accounts by manipulating a hidden identifier. An attacker can modify data associated with any user account, including administrator accounts, without needing to log in.
Impact: An attacker can take over admin accounts and gain complete control of your website, or compromise individual user accounts to access personal information.
↗ View on NVDThe WP Foodbakery plugin up to version 4.7 doesn't properly check what types of files users upload for profile images. An attacker can upload malicious files (like executable programs) disguised as images to your server.
Impact: Malicious code could be uploaded to your server and executed, potentially giving attackers full control of your website and server, allowing them to steal data or use your site for attacks.
↗ View on NVDThe WP Foodbakery plugin up to version 4.7 allows anyone registering a new account to secretly give themselves administrator permissions during the sign-up process. The plugin doesn't validate what permissions a new user should have.
Impact: Attackers can register a free account and immediately become administrators with full control over your website, its data, and all customer information.
↗ View on NVDShowing first 10 of 111. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2025-13615 | CRITICAL | 9.8 | 2025-11-30 | The StreamTube Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 4.78. This is due to the plugin providing user-controlle… |
| CVE-2017-5489 | HIGH | 8.8 | 2017-01-15 | Cross-site request forgery (CSRF) vulnerability in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims via vectors involving a Flash… |
| CVE-2017-5492 | HIGH | 8.8 | 2017-01-15 | Cross-site request forgery (CSRF) vulnerability in the widget-editing accessibility-mode feature in WordPress before 4.7.1 allows remote attackers to hijack the authentication of … |
| CVE-2017-9064 | HIGH | 8.8 | 2017-05-18 | In WordPress before 4.7.5, a Cross Site Request Forgery (CSRF) vulnerability exists in the filesystem credentials dialog because a nonce is not required for updating credentials. |
| CVE-2021-24487 | HIGH | 8.8 | 2021-10-25 | The St-Daily-Tip WordPress plugin through 4.7 does not have any CSRF check in place when saving its 'Default Text to Display if no tips' setting, and was also lacking sanitisation… |
| CVE-2021-4096 | HIGH | 8.8 | 2022-04-19 | The Fancy Product Designer plugin for WordPress is vulnerable to Cross-Site Request Forgery via the FPD_Admin_Import class that makes it possible for attackers to upload malicious… |
| CVE-2022-2864 | HIGH | 8.8 | 2022-10-28 | The demon image annotation plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.7. This is due to missing nonce validation in the ~… |
| CVE-2023-0765 | HIGH | 8.8 | 2023-04-17 | The Gallery by BestWebSoft WordPress plugin before 4.7.0 does not properly escape values used in SQL queries, leading to an Blind SQL Injection vulnerability. The attacker must ha… |
| CVE-2021-4337 | HIGH | 8.8 | 2023-06-07 | Sixteen XforWooCommerce Add-On Plugins for WordPress are vulnerable to authorization bypass due to a missing capability check on the wp_ajax_svx_ajax_factory function in various v… |
| CVE-2024-9215 | HIGH | 8.8 | 2024-10-17 | The Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors plugin for WordPress is vulnerable to Insecure Direct Object Reference to Privilege E… |
| CVE-2024-12920 | HIGH | 8.8 | 2025-03-19 | The FoodBakery | Delivery Restaurant Directory WordPress Theme theme for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capabilit… |
| CVE-2024-13933 | HIGH | 8.8 | 2025-03-19 | The FoodBakery | Delivery Restaurant Directory WordPress Theme theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.7. This is d… |
| CVE-2025-4800 | HIGH | 8.8 | 2025-05-28 | The MasterStudy LMS Pro plugin for WordPress is vulnerable to arbitrary file uploads due to a missing file type validation in the stm_lms_add_assignment_attachment function in all… |
| CVE-2020-11026 | HIGH | 8.7 | 2020-04-30 | In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an au… |
| CVE-2017-9062 | HIGH | 8.6 | 2017-05-18 | In WordPress before 4.7.5, there is improper handling of post meta data values in the XML-RPC API. |
| CVE-2017-9066 | HIGH | 8.6 | 2017-05-18 | In WordPress before 4.7.5, there is insufficient redirect validation in the HTTP class, leading to SSRF. |
| CVE-2026-7862 | HIGH | 8.6 | 2026-05-28 | The Eupago Gateway For Woocommerce WordPress plugin before 4.7.2 does not properly restrict access to its refund request handler, allowing unauthenticated attackers to initiate re… |
| CVE-2024-7781 | HIGH | 8.1 | 2024-09-26 | The Jupiter X Core plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.7.5. This is due to improper authentication via the Social L… |
| CVE-2024-31210 | HIGH | 7.6 | 2024-04-04 | WordPress is an open publishing platform for the Web. It's possible for a file of a type other than a zip file to be submitted as a new plugin by an administrative user on the Plu… |
| CVE-2017-5493 | HIGH | 7.5 | 2017-01-15 | wp-includes/ms-functions.php in the Multisite WordPress API in WordPress before 4.7.1 does not properly choose random numbers for keys, which makes it easier for remote attackers … |
| CVE-2017-1001000 | HIGH | 7.5 | 2017-04-03 | The register_routes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before 4.7.2 does not require an integer ident… |
| CVE-2017-9065 | HIGH | 7.5 | 2017-05-18 | In WordPress before 4.7.5, there is a lack of capability checks for post meta data in the XML-RPC API. |
| CVE-2024-8484 | HIGH | 7.5 | 2024-09-25 | The REST API TO MiniProgram plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the /wp-json/watch-life-net/v1/comment/getcomments REST API endpoint i… |
| CVE-2022-4972 | HIGH | 7.5 | 2024-10-16 | The Download Monitor plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several REST-API routes related to reporting in versions up to… |
| CVE-2024-13471 | HIGH | 7.5 | 2025-03-05 | The DesignThemes Core Features plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the dt_process_imported_file function in all … |
| CVE-2025-7438 | HIGH | 7.5 | 2025-07-18 | The MasterStudy LMS Pro plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'install_and_activate_plugin' function in all … |
| CVE-2026-10737 | HIGH | 7.5 | 2026-06-04 | The SP Project & Document Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the view_file function in all versions up to, and … |
| CVE-2021-4134 | HIGH | 7.2 | 2022-02-16 | The Fancy Product Designer WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the ID parameter found in the ~/inc/api/class-view.… |
| CVE-2024-13906 | HIGH | 7.2 | 2025-03-07 | The Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, … |
| CVE-2020-4047 | MEDIUM | 6.8 | 2020-06-12 | In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way.… |
| CVE-2017-6819 | MEDIUM | 6.5 | 2017-03-12 | In WordPress before 4.7.3, there is cross-site request forgery (CSRF) in Press This (wp-admin/includes/class-wp-press-this.php), leading to excessive use of server resources. The … |
| CVE-2016-11085 | MEDIUM | 6.5 | 2020-08-16 | php/qmn_options_questions_tab.php in the quiz-master-next plugin before 4.7.9 for WordPress allows CSRF, with resultant stored XSS, via the question_name parameter because js/admi… |
| CVE-2023-6637 | MEDIUM | 6.5 | 2024-01-11 | The CAOS | Host Google Analytics Locally plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_settings' functio… |
| CVE-2024-31108 | MEDIUM | 6.5 | 2024-03-31 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in iFlyChat Team iFlyChat – WordPress Chat iflychat allows Stored XSS.This issue… |
| CVE-2024-3748 | MEDIUM | 6.5 | 2024-05-15 | The SP Project & Document Manager WordPress plugin through 4.71 is missing validation in its upload function, allowing a user to manipulate the `user_id` to make it appear that a … |
| CVE-2024-3749 | MEDIUM | 6.5 | 2024-05-15 | The SP Project & Document Manager WordPress plugin through 4.71 lacks proper access controllers and allows a logged in user to view and download files belonging to another user |
| CVE-2026-1461 | MEDIUM | 6.5 | 2026-02-19 | The Simple Membership plugin for WordPress is vulnerable to Improper Handling of Missing Values in all versions up to, and including, 4.7.0 via the Stripe webhook handler. This is… |
| CVE-2020-11030 | MEDIUM | 6.4 | 2020-04-30 | In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authent… |
| CVE-2022-36284 | MEDIUM | 6.4 | 2022-08-05 | Authenticated IDOR vulnerability in StoreApps Affiliate For WooCommerce premium plugin <= 4.7.0 at WordPress allows an attacker to change the PayPal email. WooCommerce PayPal Paym… |
| CVE-2023-4718 | MEDIUM | 6.4 | 2023-09-02 | The Font Awesome 4 Menus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fa' and 'fa-stack' shortcodes in versions up to, and including, 4.7.0 due to in… |
| CVE-2023-4919 | MEDIUM | 6.4 | 2023-10-20 | The iframe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `iframe` shortcode in versions up to, and including, 4.6 due to insufficient input sanitizatio… |
| CVE-2024-13350 | MEDIUM | 6.4 | 2025-03-05 | The SearchIQ – The Search Solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'siq_searchbox' shortcode in all versions up to, and includin… |
| CVE-2025-3488 | MEDIUM | 6.4 | 2025-05-02 | The WPML plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpml_language_switcher shortcode in versions 3.6.0 - 4.7.3 due to insufficient input sa… |
| CVE-2025-12369 | MEDIUM | 6.4 | 2025-11-04 | The Extensions for Leaflet Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `geojsonmarker` shortcode in all versions up to, and including, 4.7. This … |
| CVE-2025-13866 | MEDIUM | 6.4 | 2025-12-12 | The Flow-Flow Social Feed Stream plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the flow_flow_social_auth AJAX action… |
| CVE-2017-5488 | MEDIUM | 6.1 | 2017-01-15 | Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/update-core.php in WordPress before 4.7.1 allow remote attackers to inject arbitrary web script or HTML via the (1)… |
| CVE-2017-5490 | MEDIUM | 6.1 | 2017-01-15 | Cross-site scripting (XSS) vulnerability in the theme-name fallback functionality in wp-includes/class-wp-theme.php in WordPress before 4.7.1 allows remote attackers to inject arb… |
| CVE-2017-5612 | MEDIUM | 6.1 | 2017-01-30 | Cross-site scripting (XSS) vulnerability in wp-admin/includes/class-wp-posts-list-table.php in the posts list table in WordPress before 4.7.2 allows remote attackers to inject arb… |
| CVE-2017-6815 | MEDIUM | 6.1 | 2017-03-12 | In WordPress before 4.7.3 (wp-includes/pluggable.php), control characters can trick redirect URL validation. |
| CVE-2017-6818 | MEDIUM | 6.1 | 2017-03-12 | In WordPress before 4.7.3 (wp-admin/js/tags-box.js), there is cross-site scripting (XSS) via taxonomy term names. |
| CVE-2017-9061 | MEDIUM | 6.1 | 2017-05-18 | In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability exists when attempting to upload very large files, because the error message does not properly restrict prese… |
| CVE-2017-9063 | MEDIUM | 6.1 | 2017-05-18 | In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability related to the Customizer exists, involving an invalid customization session. |
| CVE-2020-11027 | MEDIUM | 6.1 | 2020-04-30 | In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password. Access would be needed to the email account of the user… |
| CVE-2023-0479 | MEDIUM | 6.1 | 2024-01-16 | The Print Invoice & Delivery Notes for WooCommerce WordPress plugin before 4.7.2 is vulnerable to reflected XSS by echoing a GET value in an admin note within the WooCommerce orde… |
| CVE-2024-9378 | MEDIUM | 6.1 | 2024-10-02 | The YML for Yandex Market plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 4.7.2 due to insuffic… |
| CVE-2024-11278 | MEDIUM | 6.1 | 2024-11-20 | The GD bbPress Attachments plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all vers… |
| CVE-2024-12438 | MEDIUM | 6.1 | 2025-01-07 | The WooCommerce Digital Content Delivery (incl. DRM) – FlickRocket plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'start_date’ and 'end_date' paramet… |
| CVE-2024-12320 | MEDIUM | 6.1 | 2025-01-30 | The Team Rosters plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘tab’ parameter in all versions up to, and including, 4.7 due to insufficient input s… |
| CVE-2026-1706 | MEDIUM | 6.1 | 2026-03-04 | The All-in-One Video Gallery plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'vi' parameter in all versions up to, and including, 4.7.1 due to insuffi… |
| CVE-2017-8295 | MEDIUM | 5.9 | 2017-05-04 | WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a cra… |
| CVE-2025-58674 | MEDIUM | 5.9 | 2025-09-23 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the iss… |
| CVE-2020-11025 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires … |
| CVE-2020-11028 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been pat… |
| CVE-2020-11029 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been… |
| CVE-2020-4048 | MEDIUM | 5.7 | 2020-06-12 | In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect wh… |
| CVE-2017-6814 | MEDIUM | 5.4 | 2017-03-12 | In WordPress before 4.7.3, there is authenticated Cross-Site Scripting (XSS) via Media File Metadata. This is demonstrated by both (1) mishandling of the playlist shortcode in the… |
| CVE-2017-6817 | MEDIUM | 5.4 | 2017-03-12 | In WordPress before 4.7.3 (wp-includes/embed.php), there is authenticated Cross-Site Scripting (XSS) in YouTube URL Embeds. |
| CVE-2020-4046 | MEDIUM | 5.4 | 2020-06-12 | In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor… |
| CVE-2022-3096 | MEDIUM | 5.4 | 2022-10-31 | The WP Total Hacks WordPress plugin through 4.7.2 does not prevent low privilege users from modifying the plugin's settings. This could allow users such as subscribers to perform … |
| CVE-2023-0764 | MEDIUM | 5.4 | 2023-04-17 | The Gallery by BestWebSoft WordPress plugin before 4.7.0 does not perform proper sanitization of gallery information, leading to a Stored Cross-Site Scription vulnerability. The a… |
| CVE-2024-5595 | MEDIUM | 5.4 | 2024-08-02 | The Essential Blocks WordPress plugin before 4.7.0 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, whi… |
| CVE-2024-9599 | MEDIUM | 5.4 | 2025-05-15 | The Popup Box WordPress plugin before 4.7.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site S… |
| CVE-2017-5487 | MEDIUM | 5.3 | 2017-01-15 | wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors,… |
| CVE-2017-5491 | MEDIUM | 5.3 | 2017-01-15 | wp-mail.php in WordPress before 4.7.1 might allow remote attackers to bypass intended posting restrictions via a spoofed mail server with the mail.example.com name. |
| CVE-2017-5610 | MEDIUM | 5.3 | 2017-01-30 | wp-admin/includes/class-wp-press-this.php in Press This in WordPress before 4.7.2 does not properly restrict visibility of a taxonomy-assignment user interface, which allows remot… |
| CVE-2017-6514 | MEDIUM | 5.3 | 2019-05-22 | WordPress 4.7.2 mishandles listings of post authors, which allows remote attackers to obtain sensitive information (Path Disclosure) via a /wp-json/oembed/1.0/embed?url= request, … |
| CVE-2020-29156 | MEDIUM | 5.3 | 2020-12-27 | The WooCommerce plugin before 4.7.0 for WordPress allows remote attackers to view the status of arbitrary orders via the order_id parameter in a fetch_order_status action. |
| CVE-2023-7014 | MEDIUM | 5.3 | 2024-02-05 | The Author Box, Guest Author and Co-Authors for Your Posts – Molongui plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.… |
| CVE-2024-6559 | MEDIUM | 5.3 | 2024-07-16 | The Backup, Restore and Migrate WordPress Sites With the XCloner Plugin plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 4.7.3. Thi… |
| CVE-2024-37444 | MEDIUM | 5.3 | 2024-11-01 | Missing Authorization vulnerability in WPMU DEV - Your All-in-One WordPress Platform Defender Security defender-security.This issue affects Defender Security: from n/a through <= … |
| CVE-2025-14294 | MEDIUM | 5.3 | 2026-02-19 | The Razorpay for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the getCouponList() function in all versi… |
| CVE-2026-25325 | MEDIUM | 5.3 | 2026-02-19 | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in rtCamp rtMedia for WordPress, BuddyPress and bbPress buddypress-media allows Retrieve E… |
| CVE-2022-25649 | MEDIUM | 5.0 | 2022-08-05 | Multiple Improper Access Control vulnerabilities in StoreApps Affiliate For WooCommerce premium plugin <= 4.7.0 at WordPress. |
| CVE-2024-32111 | MEDIUM | 5.0 | 2024-06-25 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Automattic WordPress allows Relative Path Traversal.This issue affects WordPress: f… |
| CVE-2017-6816 | MEDIUM | 4.9 | 2017-03-12 | In WordPress before 4.7.3 (wp-admin/plugins.php), unintended files can be deleted by administrators using the plugin deletion functionality. |
| CVE-2021-24343 | MEDIUM | 4.8 | 2021-06-07 | The iFlyChat WordPress plugin before 4.7.0 does not sanitise its APP ID setting before outputting it back in the page, leading to an authenticated Stored Cross-Site Scripting issue |
| CVE-2021-36839 | MEDIUM | 4.8 | 2022-09-30 | Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Social Media Follow Buttons Bar plugin <= 4.73 at WordPress. |
| CVE-2023-4253 | MEDIUM | 4.8 | 2023-09-04 | The AI ChatBot WordPress plugin before 4.7.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site S… |
| CVE-2023-4254 | MEDIUM | 4.8 | 2023-09-04 | The AI ChatBot WordPress plugin before 4.7.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site S… |
| CVE-2022-3829 | MEDIUM | 4.8 | 2024-01-16 | The Font Awesome 4 Menus WordPress plugin through 4.7.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored C… |
| CVE-2024-6094 | MEDIUM | 4.8 | 2024-07-24 | The WP ULike WordPress plugin before 4.7.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Sc… |
| CVE-2024-7878 | MEDIUM | 4.8 | 2024-09-25 | The WP ULike WordPress plugin before 4.7.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Sc… |
| CVE-2024-7879 | MEDIUM | 4.8 | 2024-11-06 | The WP ULike WordPress plugin before 4.7.5 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripti… |
| CVE-2025-3502 | MEDIUM | 4.8 | 2025-05-01 | The WP Maps WordPress plugin before 4.7.2 does not sanitise and escape some of its Map settings, which could allow high privilege users such as admin to perform Stored Cross-Site… |
| CVE-2025-3503 | MEDIUM | 4.8 | 2025-05-01 | The WP Maps WordPress plugin before 4.7.2 does not sanitise and escape some of its Map settings, which could allow high privilege users such as admin to perform Stored Cross-Site… |
| CVE-2025-3504 | MEDIUM | 4.8 | 2025-05-01 | The WP Maps WordPress plugin before 4.7.2 does not sanitise and escape some of its Map settings, which could allow high privilege users such as admin to perform Stored Cross-Site… |
| CVE-2024-12770 | MEDIUM | 4.8 | 2025-05-15 | The WP ULike WordPress plugin before 4.7.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Sc… |
| CVE-2023-6497 | MEDIUM | 4.4 | 2024-01-27 | The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the automatic redirect URL setting in all versions up to and including 4.7… |
| CVE-2014-4552 | MEDIUM | 4.3 | 2014-07-02 | Cross-site scripting (XSS) vulnerability in library/includes/payment/paypalexpress/DoDirectPayment.php in the Spotlight (spotlightyour) plugin 4.7 and earlier for WordPress allows… |
| CVE-2023-39999 | MEDIUM | 4.3 | 2023-10-13 | Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 thr… |
| CVE-2024-1693 | MEDIUM | 4.3 | 2024-05-14 | The SP Project & Document Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cdm_save_category AJAX action in… |
| CVE-2024-5858 | MEDIUM | 4.3 | 2024-06-15 | The AI Infographic Maker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the qcld_openai_title_generate_desc AJAX acti… |
| CVE-2024-9649 | MEDIUM | 4.3 | 2024-10-16 | The WP ULike – The Ultimate Engagement Toolkit for Websites plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.7.4. This is d… |
| CVE-2025-58246 | MEDIUM | 4.3 | 2025-09-23 | Insertion of Sensitive Information Into Sent Data vulnerability in WordPress allows Retrieve Embedded Sensitive Data. The WordPress Core security team is aware of the issue and is… |
| CVE-2025-14447 | MEDIUM | 4.3 | 2025-12-13 | The AnnunciFunebri Impresa plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the annfu_reset_options() function in all v… |
| CVE-2025-12168 | MEDIUM | 4.3 | 2026-01-17 | The Phrase TMS Integration for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_delete_log' AJAX… |
| CVE-2025-9218 | LOW | 3.7 | 2025-12-13 | The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to to Information Disclosure due to missing authorization in the handle_rest_pre_dispatch() fu… |
| CVE-2020-4050 | LOW | 3.5 | 2020-06-12 | In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plu… |
| CVE-2024-2220 | LOW | 3.5 | 2024-05-23 | The Button contact VR WordPress plugin through 4.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-… |
| CVE-2024-6792 | LOW | 3.5 | 2024-09-06 | The WP ULike WordPress plugin before 4.7.2.1 does not properly sanitize user display names when rendering on a public page. |
| CVE-2020-4049 | LOW | 2.4 | 2020-06-12 | In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes p… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 4.7 is dangerously outdated, and every day you delay updating puts your website at risk of catastrophic security breaches. The 7 critical vulnerabilities—including SQL injection, privilege escalation, and arbitrary file uploads—give attackers multiple entry points to steal your data, inject malware, or take complete control of your site. Updating to the latest WordPress version takes just minutes and immediately eliminates these specific vulnerabilities.
Don't let your website become another victim of preventable attacks. SiteRecipe.com provides comprehensive WordPress security scanning and monitoring tools that identify vulnerabilities before attackers can exploit them. Our platform continuously checks for outdated versions, missing patches, and suspicious activity on your site. Sign up for a free security scan today to see exactly what vulnerabilities exist on your WordPress site, and let our experts guide you through securing it properly.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.