    Home /
    Blog /
    wordpress 4.7.4
  

Security Advisory

WordPress 4.7.4 Security: 6 CVEs Explained & How to Fix

    📅 June 07, 2026
    ·⏱ 5 min read
    ·🔒 SiteRecipe Security Team
  

⚠ 49 websites still running wordpress 4.7.4 → View full list

Total

High

Medium

WordPress 4.7.4, released in 2017, is still running on approximately 49 websites worldwide. However, this aging version contains 6 known security vulnerabilities that put your site at serious risk. One high-severity flaw and five medium-severity issues have been discovered, ranging from SQL injection attacks to cross-site scripting (XSS) vulnerabilities.

If you're still using WordPress 4.7.4, your website could be exploited by attackers who can reset passwords, inject malicious code, or steal sensitive information. The good news? These vulnerabilities are well-documented and entirely preventable with proper action. This guide will walk you through identifying whether your site is affected and exactly how to secure it.

Don't let outdated software become your biggest security liability. Understanding these vulnerabilities is the first step toward protecting your WordPress installation and your visitors' data.

What is Wordpress 4.7.4?

WordPress 4.7.4 is a version of WordPress released in April 2017, nearly seven years ago. WordPress is the most popular website builder globally, powering over 43% of all websites on the internet. It's an open-source platform that allows anyone to create blogs, business websites, and online stores without requiring advanced coding knowledge. WordPress 4.7.4 introduced several features and improvements, but like all software, it eventually becomes outdated as new security threats emerge.

Think of WordPress like a house: newer versions are like upgrading your locks and security systems. WordPress 4.7.4 was state-of-the-art when released, but technology and hacking methods have evolved significantly since then. Running an outdated version is comparable to leaving your front door with an old lock that thieves now know how to pick. While many websites still operate on older versions due to compatibility concerns or oversight, doing so exposes them to preventable security risks. Security updates in newer WordPress versions specifically patch vulnerabilities discovered in older releases.

Key Vulnerabilities in Wordpress 4.7.4

6 CVEs found. The most critical are explained below.

HIGH CVE-2021-4134 7.2/10 · CVSS v3.1 ⏱ Within 7 days

Fancy Product Designer Plugin - Admin SQL Injection

An admin user could inject malicious database commands through the Fancy Product Designer plugin. This happens because the plugin doesn't properly validate input before sending it to your database.

Impact: An attacker with admin access could steal sensitive customer data, modify pricing, or corrupt your database. This requires admin-level access, limiting the risk.

↗ View on NVD

MEDIUM CVE-2017-8295 5.9/10 · CVSS v3.0 ⏱ Immediate

Password Reset Email Can Be Manipulated

WordPress relies on email headers that attackers can fake to intercept or redirect password reset emails. An attacker could trick the system into sending reset links to the wrong place.

Impact: Attackers could reset passwords for any account, including yours, and gain unauthorized access to your website. This is a serious threat if not patched.

↗ View on NVD

MEDIUM CVE-2023-7014 5.3/10 · CVSS v3.1 ⏱ Within 7 days

Molongui Author Plugin Exposes Private Information

The Molongui author plugin has a flaw that lets anyone view sensitive hidden data without logging in. Attackers can request special parameters to extract private information.

Impact: Your site could leak confidential author data, email addresses, or other private information that you didn't intend to share publicly.

↗ View on NVD

MEDIUM CVE-2024-7878 4.8/10 · CVSS v3.1 ⏱ Within 30 days

WP ULike Plugin - Admin Can Inject Malicious Code

The WP ULike plugin doesn't properly filter settings, allowing administrators to inject harmful code. This could affect your website's appearance or functionality.

Impact: An admin account could be compromised or misused to inject malicious scripts that harm visitors or steal their data. Requires admin-level access.

↗ View on NVD

MEDIUM CVE-2024-5858 4.3/10 · CVSS v3.1 ⏱ Within 30 days

AI Infographic Maker - Unauthorized Content Changes

The AI Infographic Maker plugin doesn't check user permissions properly on certain functions. Even basic users could potentially modify content they shouldn't access.

Impact: Subscribers or low-level users could generate or modify AI content without authorization, potentially creating spam or inappropriate material on your site.

↗ View on NVD

MEDIUM CVE-2024-9649 4.3/10 · CVSS v3.1 ⏱ Within 30 days

WP ULike - Unprotected Action Requests

The WP ULike plugin is missing security checks (called 'nonce validation') that prevent fake requests. Attackers can trick users into performing unwanted actions.

Impact: Visitors could unknowingly delete their history or have their interactions modified without permission. This could affect user experience and trust.

↗ View on NVD

Is your website running Wordpress 4.7.4?

Scan your site in 30 seconds. Used by 500+ web agencies.

Scan my website — free 📋 See all 49 affected sites

How to Check If Your Website Is Affected

1 Log in to your WordPress admin dashboard and look at the bottom right corner of the screen. You'll see your WordPress version number listed next to 'Version' or visit Settings > General to confirm your version.
2 Check the WordPress.org news section or visit your Dashboard for update notifications. If you see a red notification badge, you're running an outdated version that needs updating.
3 Use a website security scanner like SiteRecipe.com's vulnerability checker to automatically detect which CVEs affect your specific WordPress version and installed plugins.

How to Fix These Vulnerabilities

1 Backup your entire WordPress website immediately. Use your hosting provider's backup feature or install a backup plugin like UpdraftPlus to create a complete copy of your files and database.
2 Update WordPress to the latest stable version by navigating to Dashboard > Updates and clicking 'Update Now.' WordPress will guide you through the process step-by-step, and most updates complete in minutes.
3 Update all plugins and themes to their latest versions. Check Dashboard > Updates for any pending plugin or theme updates. Plugins like Fancy Product Designer, WP ULike, and Molongui mentioned in the CVEs require immediate attention.
4 Scan your website for malware and security issues using SiteRecipe.com or another security scanner to ensure no vulnerabilities remain and no malicious code was injected while your site was unprotected.

Conclusion

WordPress 4.7.4 contains six documented security vulnerabilities that could allow attackers to inject malicious code, steal data, or compromise your website's integrity. The high-severity SQL injection flaw in the Fancy Product Designer plugin and multiple XSS vulnerabilities demonstrate why running outdated software is dangerous. Fortunately, updating to a current WordPress version and patching vulnerable plugins eliminates these risks entirely.

Don't leave your website exposed to known security threats. Use SiteRecipe.com's comprehensive vulnerability scanner to identify which CVEs affect your site right now, then follow our step-by-step guide to secure your WordPress installation. Your visitors trust you with their data—make sure you're protecting it with the latest security patches. Start your free security scan at SiteRecipe.com today and take control of your website's safety.

Frequently Asked Questions

Is WordPress 4.7.4 still safe to use in 2024?

No, WordPress 4.7.4 is no longer safe for production websites in 2024. It contains at least 6 known vulnerabilities, including a high-severity SQL injection flaw and multiple XSS vulnerabilities. WordPress typically supports versions for about 2-3 years before security updates stop, and 4.7.4 is far beyond that window. Update to the latest WordPress version immediately.

Will updating WordPress break my website?

Most WordPress updates are designed to be backward-compatible and won't break your site. However, poorly coded plugins or themes may cause conflicts. This is why creating a complete backup before updating is essential. If issues occur, you can restore from your backup and troubleshoot specific plugins individually.

How do I know if the Fancy Product Designer plugin is on my site?

Log into your WordPress admin dashboard and navigate to Plugins to see all installed plugins listed. Search for 'Fancy Product Designer' in the list. If you see it, you're affected by CVE-2021-4134 and must update the plugin immediately or consider removing it if you no longer use it.

What does 'SQL Injection' mean in plain English?

SQL Injection is a hacking technique where attackers insert malicious code into database queries. Think of it like forging a signature on a check—the attacker tricks your website's database into executing commands it shouldn't, allowing them to steal data or modify your website's content without authorization.

Can SiteRecipe.com help secure my WordPress site?

Yes! SiteRecipe.com's vulnerability scanner automatically detects which CVEs and security issues affect your specific WordPress version and plugins. Our platform provides clear, actionable reports that non-technical users can understand, plus step-by-step guidance on fixing each vulnerability.

Generate white-label reports for your clients

Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.

Free scan Agency plans 📋 49 affected sites

DISCLAIMER: This report is based on publicly available CVE data from the National Vulnerability Database (NVD) maintained by NIST. Detection of a technology version does not confirm active exploitation on any specific website. For informational purposes only. SiteRecipe is not responsible for actions taken based on this report. Always consult a qualified security professional.

Source: nvd.nist.gov · Published: June 07, 2026 · SiteRecipe.com