Home Plans Products
Tools
Technology Trends Keyword Lists Browser Extensions
Features
Lead Generation Market Analysis Sales Intelligence
Resources
FAQ About Contact Blog
Account
Login Sign up
Home / Blog / wordpress 4.7.5
Security Advisory

WordPress 4.7.5 Security: 12 CVEs & Protection Guide

📅 June 07, 2026 ·⏱ 5 min read ·🔒 SiteRecipe Security Team
109 websites still running wordpress 4.7.5  → View full list
12
Total
7
High
5
Medium

WordPress 4.7.5 is an older version released in 2017 that contains 12 known security vulnerabilities, including 7 high-severity issues that could compromise your website. If you're still running this version, your site is at significant risk from hackers who actively exploit these known weaknesses. This guide will help you identify if you're affected and take immediate action to secure your WordPress installation.

The vulnerabilities in WordPress 4.7.5 range from Cross-Site Request Forgery (CSRF) attacks to Server-Side Request Forgery (SSRF) and authentication bypass flaws. These weaknesses could allow attackers to upload malicious files, steal sensitive data, or gain unauthorized admin access. With 109 websites still using this version, it remains a prime target for automated attacks.

What is Wordpress 4.7.5?

WordPress 4.7.5 is a version of WordPress released in April 2017. WordPress is the world's most popular website building platform, powering over 40% of all websites. Think of it as a content management system (CMS)—software that helps you create, edit, and publish content on your website without needing to know how to code. It's designed for bloggers, small businesses, and enterprises alike.

When WordPress releases a new version, it typically includes bug fixes, new features, and most importantly, security patches that close vulnerabilities discovered in older versions. Version 4.7.5 was released over six years ago, and since then, WordPress has released hundreds of updates with critical security improvements. Using an outdated version like 4.7.5 is like leaving your front door unlocked—it's an open invitation to cybercriminals who know exactly how to exploit its weaknesses.

Key Vulnerabilities in Wordpress 4.7.5

12 CVEs found. The most critical are explained below.

HIGH CVE-2017-9064 8.8/10 · CVSS v3.0 ⏱ Immediate
Attackers can change your WordPress file settings without permission

WordPress is missing a security check when you upload files to your server. This means someone could trick you into changing important file settings without your knowledge. They do this by getting you to click a malicious link while you're logged into WordPress.

Impact: An attacker could modify your WordPress installation files, potentially compromising your entire website and the data stored on it.

↗ View on NVD
HIGH CVE-2021-4096 8.8/10 · CVSS v3.1 ⏱ Immediate
Fancy Product Designer plugin allows malicious file uploads

If you use the Fancy Product Designer plugin, attackers can upload dangerous files to your server without proper permission checks. These files could give hackers complete control over your website.

Impact: Attackers gain full access to your web server, can steal customer data, inject malware, or shut down your website entirely.

↗ View on NVD
HIGH CVE-2017-9062 8.6/10 · CVSS v3.0 ⏱ Within 7 days
WordPress improperly handles post information through API

WordPress has a system called XML-RPC that allows external programs to manage your posts. This system doesn't properly validate the information it receives, which could allow attackers to manipulate your post data.

Impact: Attackers could modify or delete your posts, inject malicious content into your site, or steal sensitive information about your posts.

↗ View on NVD
HIGH CVE-2017-9066 8.6/10 · CVSS v3.0 ⏱ Within 7 days
WordPress redirects users to malicious websites

WordPress doesn't properly check where it's redirecting your visitors. An attacker could exploit this to send your users to dangerous websites or make WordPress connect to servers controlled by hackers.

Impact: Your visitors could be sent to malicious sites that steal their information, or attackers could access internal systems through your WordPress installation.

↗ View on NVD
HIGH CVE-2024-7781 8.1/10 · CVSS v3.1 ⏱ Immediate
Jupiter X Core plugin lets anyone log in as administrator

The Jupiter X Core plugin has a serious flaw in its social login feature. Attackers can bypass the login process entirely and gain access as your site administrator without needing a password.

Impact: Hackers gain complete control of your website, can steal all data, modify content, install malware, or lock you out of your own site.

↗ View on NVD
HIGH CVE-2017-9065 7.5/10 · CVSS v3.0 ⏱ Within 7 days
WordPress XML-RPC allows unauthorized post data access

The XML-RPC system in WordPress doesn't properly check permissions before letting external programs access your post information. This means unauthorized users could read or modify your posts.

Impact: Attackers could steal confidential post data, modify published content, or access posts you intended to keep private.

↗ View on NVD

Additional Vulnerabilities (6 more)

Showing first 10 of 6. View all on NVD ↗

CVE IDSeverityScore PublishedDescription
CVE-2022-4972 HIGH 7.5 2024-10-16 The Download Monitor plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several REST-API routes related to reporting in versions up to…
CVE-2025-13866 MEDIUM 6.4 2025-12-12 The Flow-Flow Social Feed Stream plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the flow_flow_social_auth AJAX action…
CVE-2017-9061 MEDIUM 6.1 2017-05-18 In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability exists when attempting to upload very large files, because the error message does not properly restrict prese…
CVE-2017-9063 MEDIUM 6.1 2017-05-18 In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability related to the Customizer exists, involving an invalid customization session.
CVE-2024-7879 MEDIUM 4.8 2024-11-06 The WP ULike WordPress plugin before 4.7.5 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripti…
CVE-2025-12168 MEDIUM 4.3 2026-01-17 The Phrase TMS Integration for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_delete_log' AJAX…
Full Report Available

All 12 CVEs with AI explanations + fix guide

Plain English · Fix recommendations · Instant PDF & HTML download

⬇ Get Full Report
PDF + HTML · Instant download

Is your website running Wordpress 4.7.5?

Scan your site in 30 seconds. Used by 500+ web agencies.

Scan my website — free 📋 See all 109 affected sites

How to Check If Your Website Is Affected

How to Fix These Vulnerabilities

Conclusion

WordPress 4.7.5 is no longer safe to use in 2024. The 12 known vulnerabilities—especially the 7 high-severity flaws—pose a serious threat to your website's security and your visitors' data. Updating to the latest WordPress version is one of the most important steps you can take to protect your online presence. The update process takes just minutes, but the security benefits are invaluable.

Don't wait until your site gets hacked. Use SiteRecipe.com's free website vulnerability scanner to identify all security issues on your WordPress site, track your WordPress version, and get personalized recommendations for staying secure. Our platform helps you monitor your site continuously, alerting you to new threats before attackers can exploit them. Secure your site today—visit SiteRecipe.com and run a free security scan now.

Frequently Asked Questions

Is WordPress 4.7.5 still supported by WordPress developers?
No. WordPress 4.7.5 was released in April 2017 and is no longer supported with security updates. WordPress only provides security updates for recent versions. Using unsupported versions puts your site at extreme risk of being hacked.
What's the biggest security risk in WordPress 4.7.5?
The most critical vulnerabilities are CSRF (Cross-Site Request Forgery) attacks that can trick you into making changes to your site, and authentication bypass flaws that let attackers log in without a password. These can lead to complete site takeover.
Will updating WordPress delete my posts and content?
No. Updating WordPress to a newer version will not delete your posts, pages, or media. However, you must back up your site before updating just in case something goes wrong during the upgrade process.
Can outdated WordPress versions be hacked easily?
Yes. Hackers use automated tools to scan the internet for websites running vulnerable versions like 4.7.5. Once detected, they exploit known vulnerabilities to inject malware, steal data, or use your site to attack others. Updating immediately is critical.
Do I need to update my plugins and themes too?
Yes. After updating WordPress, you should update all plugins and themes to their latest versions. Older plugins and themes may contain their own vulnerabilities and could conflict with the newest WordPress version, causing performance issues.

Generate white-label reports for your clients

Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.

Free scan Agency plans 📋 109 affected sites
DISCLAIMER: This report is based on publicly available CVE data from the National Vulnerability Database (NVD) maintained by NIST. Detection of a technology version does not confirm active exploitation on any specific website. For informational purposes only. SiteRecipe is not responsible for actions taken based on this report. Always consult a qualified security professional.

Source: nvd.nist.gov · Published: June 07, 2026 · SiteRecipe.com