WordPress 4.7.3 is an older version of the popular website builder that contains 12 known security vulnerabilities. While some are minor, one critical flaw could expose your website to hackers who steal data, inject malware, or take your site offline. If you're running this version, you're putting your business at risk. This guide explains what went wrong, how to check if you're vulnerable, and the exact steps to protect your website.
WordPress 4.7.3 was released in 2017 as a maintenance update to WordPress 4.7. It's the software that powers over 43% of all websites on the internet, making it a top target for cybercriminals. This version includes basic blogging tools, content management features, and the ability to add extensions called plugins and themes. Over 121 websites are still using this outdated version today, leaving themselves exposed to security threats.
12 CVEs found. The most critical are explained below.
The Gallery by BestWebSoft plugin has a serious flaw that allows attackers to inject harmful code into your website through a file import feature. This happens because the plugin doesn't properly validate data before processing it, making it vulnerable to abuse by authenticated users.
Impact: An attacker could take control of your website, steal data, or inject malicious content that affects your visitors. This could lead to data breaches, loss of customer trust, and potential legal issues.
↗ View on NVDWordPress's Press This feature has a security flaw that allows attackers to trick it into downloading very large files from the internet. This can exhaust your server's resources and slow down or crash your website.
Impact: Your website could become slow or unavailable, resulting in lost sales and poor user experience. Your hosting provider may also charge additional fees for excessive resource usage.
↗ View on NVDThe WPML plugin's language switcher feature doesn't properly clean user input, allowing malicious code to be stored and executed on your website. This affects versions up to 4.7.3 and requires an attacker to have some level of access.
Impact: Visitors could be redirected to malicious sites, have their sessions hijacked, or see fake login forms designed to steal credentials. This damages your website's reputation and customer trust.
↗ View on NVDWordPress has a flaw in how it validates redirect URLs that allows attackers to use special characters to bypass security checks. This means users could be tricked into being redirected to malicious websites.
Impact: Visitors may be sent to phishing sites or malware downloads without realizing it. This can harm your users and reflect poorly on your website's trustworthiness.
↗ View on NVDA flaw in WordPress allows malicious code to be hidden in category and tag names. When these names are displayed on your site, the hidden code executes in visitors' browsers.
Impact: Attackers could steal visitor information, inject advertisements, or redirect users to malicious sites. Your website could appear compromised and damage customer confidence.
↗ View on NVDWordPress has a vulnerability that allows users with Author permissions or higher to inject malicious scripts into your website content. This is a low-severity issue but still poses a risk depending on who has access.
Impact: If a disgruntled employee or compromised author account is abused, malicious code could be injected into pages affecting all your visitors. The damage depends on how many people have author-level access.
↗ View on NVDShowing first 10 of 6. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2017-6814 | MEDIUM | 5.4 | 2017-03-12 | In WordPress before 4.7.3, there is authenticated Cross-Site Scripting (XSS) via Media File Metadata. This is demonstrated by both (1) mishandling of the playlist shortcode in the… |
| CVE-2017-6817 | MEDIUM | 5.4 | 2017-03-12 | In WordPress before 4.7.3 (wp-includes/embed.php), there is authenticated Cross-Site Scripting (XSS) in YouTube URL Embeds. |
| CVE-2024-6559 | MEDIUM | 5.3 | 2024-07-16 | The Backup, Restore and Migrate WordPress Sites With the XCloner Plugin plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 4.7.3. Thi… |
| CVE-2017-6816 | MEDIUM | 4.9 | 2017-03-12 | In WordPress before 4.7.3 (wp-admin/plugins.php), unintended files can be deleted by administrators using the plugin deletion functionality. |
| CVE-2025-58246 | MEDIUM | 4.3 | 2025-09-23 | Insertion of Sensitive Information Into Sent Data vulnerability in WordPress allows Retrieve Embedded Sensitive Data. The WordPress Core security team is aware of the issue and is… |
| CVE-2025-9218 | LOW | 3.7 | 2025-12-13 | The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to to Information Disclosure due to missing authorization in the handle_rest_pre_dispatch() fu… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
Running WordPress 4.7.3 is like leaving your front door unlocked—hackers know exactly where to find the weaknesses. The 12 vulnerabilities discovered in this version, especially the PHP Object Injection and XSS flaws, give attackers multiple entry points to compromise your website. Upgrading takes less than 30 minutes and eliminates these known threats instantly. SiteRecipe.com offers free security scanning that identifies vulnerable WordPress versions on your site and alerts you to new CVEs before attackers exploit them. Visit SiteRecipe.com today to scan your website for free and get a detailed security report with step-by-step fix recommendations tailored to your specific setup.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.