WordPress 4.7.1 contains 26 documented security vulnerabilities that put your website at serious risk. With 1 critical vulnerability, 6 high-severity flaws, and 17 medium-level issues, this version requires immediate attention from site administrators. If you're still running WordPress 4.7.1, your site could be vulnerable to privilege escalation, account takeover, and cross-site attacks that compromise user data and site integrity.
In this comprehensive security guide, we'll break down the most dangerous vulnerabilities affecting WordPress 4.7.1, explain what they mean for your website, and provide step-by-step instructions to protect your site. Whether you're managing a single blog or multiple sites, understanding these CVEs is essential to maintaining security and protecting your users.
WordPress 4.7.1 is an older version of the popular WordPress content management system, released in early 2017. Like all software, this version had security gaps that developers discovered and documented as CVEs (Common Vulnerabilities and Exposures). Think of CVEs as official reports of security flaws—they're numbered and tracked to help website owners understand what threats exist and how serious they are. WordPress 4.7.1 has been superseded by hundreds of newer versions, each building on the last with security patches and improvements.
The vulnerability severity levels range from Critical (most dangerous) to Low (minor concern). Critical vulnerabilities can allow hackers to take over accounts or inject malicious code. High-severity flaws could enable unauthorized access or data theft. Medium and Low vulnerabilities are still important but pose less immediate risk. Running outdated WordPress versions like 4.7.1 is like keeping your front door locked but using a key from 2017—modern security tools exist, but you're not using them.
26 CVEs found. The most critical are explained below.
A plugin used to connect WordPress with MiniProgram has a serious flaw that allows attackers to take over user accounts without proper permission checks. An attacker can modify user information by exploiting a missing security validation in the code.
Impact: Attackers could gain control of administrator accounts and take over your entire website, modify content, steal data, or install malware.
↗ View on NVDWordPress 4.7.1 has a vulnerability in how it handles Flash file uploads that allows attackers to trick logged-in users into performing unwanted actions. An attacker can craft a malicious Flash file that hijacks user sessions when uploaded.
Impact: Attackers could perform unauthorized actions on your website using your admin account, such as creating new admin users, changing settings, or deleting content.
↗ View on NVDThe widget editing feature in WordPress 4.7.1 is vulnerable to attacks that allow hackers to trick administrators into changing website widgets without their knowledge. Attackers can use forged requests to modify your site's appearance and functionality.
Impact: Attackers could inject malicious code into your website widgets, redirect visitors to phishing sites, or display unwanted content to your audience.
↗ View on NVDThe PublishPress Authors plugin has a flaw that lets attackers access and modify author accounts they shouldn't have access to. Missing security checks allow unauthorized account takeover through the action_edited_author function.
Impact: Attackers could hijack author accounts, publish malicious content, steal author information, or gain elevated access to your website.
↗ View on NVDWordPress versions before 5.4.1 allow files with specially crafted names to execute malicious code when uploaded to the Media library. Anyone with file upload permissions can exploit this to run scripts on your server.
Impact: Attackers with upload access could inject malware, steal sensitive data, compromise your server, or use it to attack other websites.
↗ View on NVDWordPress 4.7.1's Multisite feature has weak random number generation for security keys, making it easier for attackers to bypass access restrictions. This affects user signup and site signup processes.
Impact: Attackers could register accounts, bypass authentication, or gain unauthorized access to multiple sites in a WordPress Multisite network.
↗ View on NVDShowing first 10 of 20. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2024-8484 | HIGH | 7.5 | 2024-09-25 | The REST API TO MiniProgram plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the /wp-json/watch-life-net/v1/comment/getcomments REST API endpoint i… |
| CVE-2020-4047 | MEDIUM | 6.8 | 2020-06-12 | In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way.… |
| CVE-2023-6637 | MEDIUM | 6.5 | 2024-01-11 | The CAOS | Host Google Analytics Locally plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_settings' functio… |
| CVE-2020-11030 | MEDIUM | 6.4 | 2020-04-30 | In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authent… |
| CVE-2017-5488 | MEDIUM | 6.1 | 2017-01-15 | Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/update-core.php in WordPress before 4.7.1 allow remote attackers to inject arbitrary web script or HTML via the (1)… |
| CVE-2017-5490 | MEDIUM | 6.1 | 2017-01-15 | Cross-site scripting (XSS) vulnerability in the theme-name fallback functionality in wp-includes/class-wp-theme.php in WordPress before 4.7.1 allows remote attackers to inject arb… |
| CVE-2020-11027 | MEDIUM | 6.1 | 2020-04-30 | In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password. Access would be needed to the email account of the user… |
| CVE-2026-1706 | MEDIUM | 6.1 | 2026-03-04 | The All-in-One Video Gallery plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'vi' parameter in all versions up to, and including, 4.7.1 due to insuffi… |
| CVE-2020-11025 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires … |
| CVE-2020-11028 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been pat… |
| CVE-2020-11029 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been… |
| CVE-2020-4048 | MEDIUM | 5.7 | 2020-06-12 | In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect wh… |
| CVE-2020-4046 | MEDIUM | 5.4 | 2020-06-12 | In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor… |
| CVE-2017-5487 | MEDIUM | 5.3 | 2017-01-15 | wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors,… |
| CVE-2017-5491 | MEDIUM | 5.3 | 2017-01-15 | wp-mail.php in WordPress before 4.7.1 might allow remote attackers to bypass intended posting restrictions via a spoofed mail server with the mail.example.com name. |
| CVE-2024-37444 | MEDIUM | 5.3 | 2024-11-01 | Missing Authorization vulnerability in WPMU DEV - Your All-in-One WordPress Platform Defender Security defender-security.This issue affects Defender Security: from n/a through <= … |
| CVE-2024-6094 | MEDIUM | 4.8 | 2024-07-24 | The WP ULike WordPress plugin before 4.7.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Sc… |
| CVE-2023-6497 | MEDIUM | 4.4 | 2024-01-27 | The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the automatic redirect URL setting in all versions up to and including 4.7… |
| CVE-2020-4050 | LOW | 3.5 | 2020-06-12 | In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plu… |
| CVE-2020-4049 | LOW | 2.4 | 2020-06-12 | In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes p… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 4.7.1 is no longer safe for production websites. With 1 critical vulnerability enabling account takeover and 6 additional high-severity flaws affecting authentication and file uploads, the risks far outweigh any reasons to stay on this old version. The good news is that updating WordPress takes minutes and immediately closes most of these security holes. After updating, your site becomes significantly more resistant to the attacks that target vulnerable, outdated installations.
Don't leave your website exposed to preventable attacks. Use SiteRecipe.com to scan your site for vulnerabilities, get personalized security recommendations, and monitor your WordPress installation continuously. Our platform makes it easy to identify outdated versions, missing security patches, and vulnerable plugins—giving you peace of mind that your site is protected. Start your free security scan today and take control of your WordPress security.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.