WordPress 4.7.2 is an older version released in early 2017 that contains 19 known security vulnerabilities, including 2 critical flaws that could allow attackers to take control of your website. If your site is still running this version, you're at serious risk of data theft, malware injection, and complete site compromise. This comprehensive guide will help you identify if you're vulnerable and provide step-by-step instructions to protect your WordPress installation immediately.
The vulnerabilities range from SQL injection attacks that bypass database security to privilege escalation flaws that let unauthenticated users perform admin-level actions. With 135 websites still using WordPress 4.7.2, attackers actively target this outdated version. Our security experts have compiled this essential guide to help you secure your site before it's too late.
WordPress 4.7.2 is a version of WordPress released in February 2017. WordPress is the world's most popular website-building platform, powering over 40% of all websites on the internet. It allows business owners, bloggers, and organizations to create professional websites without needing extensive coding knowledge. WordPress 4.7.2 was considered a stable release at the time, offering features for managing content, users, and website appearance.
However, security researchers have since discovered serious vulnerabilities in WordPress 4.7.2 that were patched in later versions. These weaknesses were found in the code that handles database queries, user authentication, and file uploads. Because WordPress is so popular, attackers specifically target outdated versions looking for these known weaknesses. Running an old version means you're using software with publicly disclosed security holes that hackers actively exploit.
19 CVEs found. The most critical are explained below.
WordPress 4.7.2 has a vulnerability where hackers can inject malicious commands into your website's database if you're using certain poorly-coded plugins or themes. This happens through the way WordPress processes custom post types, which some third-party code handles insecurely.
Impact: An attacker could steal all your website data, modify content, create fake admin accounts, or completely take over your site without needing to log in.
↗ View on NVDThe MiniOrange Malware Scanner and Web Application Firewall plugins have a security gap that allows unauthorized users to gain administrator-level access to your WordPress site. The plugins don't properly verify if someone has permission before letting them perform critical functions.
Impact: Attackers could gain full control of your website, access sensitive data, modify content, or use your site to attack your visitors.
↗ View on NVDThe Eupago payment gateway plugin for WooCommerce doesn't properly protect its refund system, allowing anyone on the internet to process refunds from your store without logging in. They can refund customer orders using your payment gateway credentials.
Impact: Customers could get refunds they didn't request, your revenue could be lost, and your payment processor account could be compromised or suspended due to fraud.
↗ View on NVDWordPress allows administrators to upload plugin files, but it doesn't verify the file is actually a valid plugin before processing it. An attacker with admin access could upload a disguised malicious file that gets executed on your server.
Impact: A compromised admin account could upload files that give hackers complete control of your entire server and all websites hosted on it.
↗ View on NVDWordPress 4.7.x's REST API (a system that allows external tools to interact with your site) doesn't properly validate requests, letting attackers modify any page on your site without needing to log in. They can bypass normal security checks by sending specially formatted requests.
Impact: Hackers could modify your website content, inject malware, redirect visitors to phishing sites, or deface your entire website.
↗ View on NVDThe iFlyChat plugin has a vulnerability where malicious code can be permanently stored on your website pages. When visitors view those pages, the hidden code runs on their browsers, potentially stealing their information.
Impact: Your website visitors' data, passwords, and personal information could be stolen, and your site's reputation could be severely damaged.
↗ View on NVDShowing first 10 of 13. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2017-5612 | MEDIUM | 6.1 | 2017-01-30 | Cross-site scripting (XSS) vulnerability in wp-admin/includes/class-wp-posts-list-table.php in the posts list table in WordPress before 4.7.2 allows remote attackers to inject arb… |
| CVE-2023-0479 | MEDIUM | 6.1 | 2024-01-16 | The Print Invoice & Delivery Notes for WooCommerce WordPress plugin before 4.7.2 is vulnerable to reflected XSS by echoing a GET value in an admin note within the WooCommerce orde… |
| CVE-2024-9378 | MEDIUM | 6.1 | 2024-10-02 | The YML for Yandex Market plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 4.7.2 due to insuffic… |
| CVE-2024-11278 | MEDIUM | 6.1 | 2024-11-20 | The GD bbPress Attachments plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all vers… |
| CVE-2022-3096 | MEDIUM | 5.4 | 2022-10-31 | The WP Total Hacks WordPress plugin through 4.7.2 does not prevent low privilege users from modifying the plugin's settings. This could allow users such as subscribers to perform … |
| CVE-2017-5610 | MEDIUM | 5.3 | 2017-01-30 | wp-admin/includes/class-wp-press-this.php in Press This in WordPress before 4.7.2 does not properly restrict visibility of a taxonomy-assignment user interface, which allows remot… |
| CVE-2017-6514 | MEDIUM | 5.3 | 2019-05-22 | WordPress 4.7.2 mishandles listings of post authors, which allows remote attackers to obtain sensitive information (Path Disclosure) via a /wp-json/oembed/1.0/embed?url= request, … |
| CVE-2024-32111 | MEDIUM | 5.0 | 2024-06-25 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Automattic WordPress allows Relative Path Traversal.This issue affects WordPress: f… |
| CVE-2025-3502 | MEDIUM | 4.8 | 2025-05-01 | The WP Maps WordPress plugin before 4.7.2 does not sanitise and escape some of its Map settings, which could allow high privilege users such as admin to perform Stored Cross-Site… |
| CVE-2025-3503 | MEDIUM | 4.8 | 2025-05-01 | The WP Maps WordPress plugin before 4.7.2 does not sanitise and escape some of its Map settings, which could allow high privilege users such as admin to perform Stored Cross-Site… |
| CVE-2025-3504 | MEDIUM | 4.8 | 2025-05-01 | The WP Maps WordPress plugin before 4.7.2 does not sanitise and escape some of its Map settings, which could allow high privilege users such as admin to perform Stored Cross-Site… |
| CVE-2023-39999 | MEDIUM | 4.3 | 2023-10-13 | Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 thr… |
| CVE-2024-6792 | LOW | 3.5 | 2024-09-06 | The WP ULike WordPress plugin before 4.7.2.1 does not properly sanitize user display names when rendering on a public page. |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 4.7.2 is no longer safe for any website, whether it's a small blog or an e-commerce store. The 19 documented vulnerabilities provide multiple entry points for hackers to steal your data, install malware, or take your site offline entirely. Upgrading to the latest WordPress version closes these security holes and also provides new features, better performance, and improved user experience.
Don't wait for a security breach to happen. Use SiteRecipe.com's comprehensive WordPress security scanner to identify all vulnerabilities on your site instantly, and our expert guides will walk you through every step of securing your WordPress installation. SiteRecipe.com provides free security audits, detailed remediation plans, and ongoing monitoring to keep your website protected from threats. Visit SiteRecipe.com today and scan your site for free—protecting your WordPress site takes just minutes.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.