WordPress 4.8, released in 2017, is now severely outdated and poses significant security risks to your website. Our analysis reveals 99 documented vulnerabilities, including 10 critical flaws that could allow attackers to steal data, take over accounts, and delete files. If your site still runs this version, immediate action is required to protect your business.
We've identified that 120 websites are still using WordPress 4.8, making them prime targets for cybercriminals. The most dangerous vulnerabilities involve SQL injection attacks through popular plugins like WP Easy Gallery, ChatBot, and WP Foodbakery. These exploits can be executed remotely without authentication, giving hackers direct access to your database.
This comprehensive guide walks you through identifying if you're vulnerable, understanding the risks, and safely upgrading to a secure version. We'll also show you how SiteRecipe.com can streamline your security updates and protect your WordPress installation.
WordPress 4.8 is a version of the world's most popular website builder, released in June 2017. At that time, it was cutting-edge software, but years of security updates have made it dangerously outdated. Think of it like driving a car from 2017 without any safety updates—it worked fine then, but modern highways and traffic require modern safety features.
WordPress powers over 43% of all websites worldwide, making it both popular and a frequent target for hackers. Version 4.8 was superseded by newer versions that patched critical security holes. Using an old WordPress version is like leaving your front door unlocked; attackers know exactly where to find vulnerabilities because they're well-documented and unpatched in older installations.
99 CVEs found. The most critical are explained below.
The WP Easy Gallery plugin has a security flaw that allows hackers to directly access your website's database through specially crafted requests. This happens because the plugin doesn't properly validate user inputs before using them in database queries. If you're using this plugin version 4.8.5 or earlier, your site is at risk.
Impact: Attackers could steal sensitive customer data, modify website content, create fake admin accounts, or completely compromise your website's database.
↗ View on NVDThis is a flaw in WordPress itself (versions before 4.8.2) in how it processes certain database commands. Plugins and themes can accidentally create security holes that allow hackers to access your database. The issue involves how WordPress handles special characters in database requests.
Impact: Hackers could gain unauthorized access to your database, steal customer information, or take control of your website.
↗ View on NVDWordPress versions before 4.8.3 have a flaw in how it processes database commands when they're prepared twice by mistake. This creates a security loophole that plugins or themes could accidentally exploit. It's a different problem than CVE-2017-14723 but equally serious.
Impact: Hackers could exploit plugins or themes using this flaw to access your database, steal data, or take control of your website.
↗ View on NVDThe ChatBot plugin (version 4.8.9 and earlier) doesn't properly check user inputs before using them in database queries. Hackers don't even need to log in to exploit this—they can attack from outside your website.
Impact: Attackers could access your database, steal customer information, modify website data, or take over your website without any login credentials.
↗ View on NVDThe Hotel Booking Lite plugin (versions before 4.8.5) doesn't properly protect files on your server. Attackers can request and download sensitive files or delete important website files without needing to log in. The plugin also lacks security checks to prevent these actions.
Impact: Hackers could download backup files, configuration files with passwords, or delete critical website files, causing your site to become unavailable or exposing sensitive data.
↗ View on NVDThe WP Foodbakery plugin (version 4.8 and earlier) fails to properly verify user identity when logging in. An attacker can bypass this verification and log in as any user, including administrators, without knowing their password.
Impact: Hackers could take over admin accounts, change your website, steal customer data, inject malicious code, or completely compromise your website.
↗ View on NVDShowing first 10 of 93. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2025-4689 | CRITICAL | 9.8 | 2025-07-02 | The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Local File Inclusion which leads to Remote Code Execution in all versions up… |
| CVE-2025-5397 | CRITICAL | 9.8 | 2025-10-31 | The Noo JobMonster theme for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 4.8.1. This is due to the check_login() function not properly v… |
| CVE-2023-5212 | CRITICAL | 9.6 | 2023-10-19 | The AI ChatBot plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 4.8.9 as well as version 4.9.2. This makes it possible for authentic… |
| CVE-2023-5241 | CRITICAL | 9.6 | 2023-10-19 | The AI ChatBot for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.8.9 as well as 4.9.2 via the qcld_openai_upload_pagetraining_file function. T… |
| CVE-2021-24750 | HIGH | 8.8 | 2021-12-21 | The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenti… |
| CVE-2024-4662 | HIGH | 8.8 | 2024-05-23 | The Oxygen Builder plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.8.2 via post metadata. This is due to the plugin storing cus… |
| CVE-2024-3813 | HIGH | 8.8 | 2024-06-15 | The tagDiv Composer plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.8 via the 'td_block_title' shortcode 'block_template_id' att… |
| CVE-2024-9018 | HIGH | 8.8 | 2024-10-01 | The WP Easy Gallery – WordPress Gallery Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the ‘key’ parameter in all versions up to, and including, 4.8.5 d… |
| CVE-2024-9849 | HIGH | 8.8 | 2024-11-16 | The Real3D Flipbook Lite – 3D FlipBook, PDF Viewer, PDF Embedder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'r3dfb_sav… |
| CVE-2025-0366 | HIGH | 8.8 | 2025-02-01 | The Jupiter X Core plugin for WordPress is vulnerable to Local File Inclusion to Remote Code Execution in all versions up to, and including, 4.8.7 via the get_svg() function. This… |
| CVE-2025-6459 | HIGH | 8.8 | 2025-07-02 | The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.89. This … |
| CVE-2025-12062 | HIGH | 8.8 | 2026-02-17 | The WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and incl… |
| CVE-2020-11026 | HIGH | 8.7 | 2020-04-30 | In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an au… |
| CVE-2025-2105 | HIGH | 8.1 | 2025-04-26 | The Jupiter X Core plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.8.11 via deserialization of untrusted input from the 'file' p… |
| CVE-2025-4380 | HIGH | 8.1 | 2025-07-02 | The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.89 via the 'bsa… |
| CVE-2017-14719 | HIGH | 7.5 | 2017-09-23 | Before version 4.8.2, WordPress was vulnerable to a directory traversal attack during unzip operations in the ZipArchive and PclZip components. |
| CVE-2017-14722 | HIGH | 7.5 | 2017-09-23 | Before version 4.8.2, WordPress allowed a Directory Traversal attack in the Customizer component via a crafted theme filename. |
| CVE-2012-6707 | HIGH | 7.5 | 2017-10-19 | WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values… |
| CVE-2024-13322 | HIGH | 7.5 | 2025-05-02 | The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to SQL Injection via the 'a_id' parameter in all versions up to, and including,… |
| CVE-2025-4381 | HIGH | 7.5 | 2025-07-02 | The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to SQL Injection via the ‘$id’ variable of the getSpace() function in all versi… |
| CVE-2025-5339 | HIGH | 7.5 | 2025-07-02 | The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to time-based SQL Injection via the ‘bsa_pro_id’ parameter in all versions up t… |
| CVE-2025-6437 | HIGH | 7.5 | 2025-07-02 | The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to SQL Injection via the ‘oid’ parameter in all versions up to, and including, … |
| CVE-2020-4047 | MEDIUM | 6.8 | 2020-06-12 | In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way.… |
| CVE-2025-67535 | MEDIUM | 6.6 | 2025-12-09 | Deserialization of Untrusted Data vulnerability in Flipper Code - WordPress Development Company WP Maps wp-google-map-plugin allows Object Injection.This issue affects WP Maps: fr… |
| CVE-2017-14990 | MEDIUM | 6.5 | 2017-10-03 | WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but stores the analogous wp_users.user_activation_key values as hashes), which might make it easier for remote a… |
| CVE-2022-1605 | MEDIUM | 6.5 | 2022-06-13 | The Email Users WordPress plugin through 4.8.8 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via … |
| CVE-2025-0365 | MEDIUM | 6.5 | 2025-02-01 | The Jupiter X Core plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 4.8.7 via the inline SVG feature. This makes it possible for aut… |
| CVE-2026-8653 | MEDIUM | 6.5 | 2026-06-04 | The MasterStudy LMS Pro Plus plugin for WordPress is vulnerable to generic SQL Injection via the 'columns' parameter in all versions up to, and including, 4.8.20 due to insufficie… |
| CVE-2020-11030 | MEDIUM | 6.4 | 2020-04-30 | In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authent… |
| CVE-2023-6938 | MEDIUM | 6.4 | 2024-01-11 | The Oxygen Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a custom field in all versions up to, and including, 4.8 due to insufficient input sanitiz… |
| CVE-2024-1159 | MEDIUM | 6.4 | 2024-02-13 | The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 4.8.0 due to insufficie… |
| CVE-2024-3266 | MEDIUM | 6.4 | 2024-04-09 | The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL attribute of widgets in all versions up to, and including, 4.8.8 due to insuffi… |
| CVE-2024-3267 | MEDIUM | 6.4 | 2024-04-09 | The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_price_list shortcode in all versions up to, and including, 4.8.8 due… |
| CVE-2024-2734 | MEDIUM | 6.4 | 2024-04-10 | The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's AI features all versions up to, and including, 4.8.8 due to insufficient i… |
| CVE-2024-2735 | MEDIUM | 6.4 | 2024-04-10 | The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Price List' element in all versions up to, and including, 4.8.8 due to insufficien… |
| CVE-2024-2736 | MEDIUM | 6.4 | 2024-04-10 | The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via HTML Tags in all versions up to, and including, 4.8.8 due to insufficient input sanitiz… |
| CVE-2023-6892 | MEDIUM | 6.4 | 2024-04-18 | The EAN for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'alg_wc_ean_product_meta' shortcode in all versions up to, and including… |
| CVE-2024-3888 | MEDIUM | 6.4 | 2024-06-04 | The tagDiv Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's button shortcode in all versions up to, and including, 4.8 due to insufficie… |
| CVE-2025-0845 | MEDIUM | 6.4 | 2025-03-25 | The DesignThemes Core Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 4.8 due to insufficient input san… |
| CVE-2025-3888 | MEDIUM | 6.4 | 2025-05-17 | The Jupiter X Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File inclusion in all versions up to, and including, 4.8.12 due to insufficient input … |
| CVE-2025-2892 | MEDIUM | 6.4 | 2025-05-19 | The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post Meta Description a… |
| CVE-2025-5923 | MEDIUM | 6.4 | 2025-06-13 | The Game Review Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 4.8.1 due to insufficie… |
| CVE-2025-13364 | MEDIUM | 6.4 | 2026-04-16 | The WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'put_wpgm' short… |
| CVE-2017-14718 | MEDIUM | 6.1 | 2017-09-23 | Before version 4.8.2, WordPress was susceptible to a Cross-Site Scripting attack in the link modal via a javascript: or data: URL. |
| CVE-2017-14720 | MEDIUM | 6.1 | 2017-09-23 | Before version 4.8.2, WordPress allowed a Cross-Site scripting attack in the template list view via a crafted template name. |
| CVE-2017-14721 | MEDIUM | 6.1 | 2017-09-23 | Before version 4.8.2, WordPress allowed Cross-Site scripting in the plugin editor via a crafted plugin name. |
| CVE-2017-14724 | MEDIUM | 6.1 | 2017-09-23 | Before version 4.8.2, WordPress was vulnerable to cross-site scripting in oEmbed discovery. |
| CVE-2017-14726 | MEDIUM | 6.1 | 2017-09-23 | Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor. |
| CVE-2018-1000556 | MEDIUM | 6.1 | 2018-06-26 | WordPress version 4.8 + contains a Cross Site Scripting (XSS) vulnerability in plugins.php or core wordpress on delete function that can result in An attacker can perform client s… |
| CVE-2019-12346 | MEDIUM | 6.1 | 2019-06-24 | In the miniOrange SAML SP Single Sign On plugin before 4.8.73 for WordPress, the SAML Login Endpoint is vulnerable to XSS via a specially crafted SAMLResponse XML post. |
| CVE-2019-15109 | MEDIUM | 6.1 | 2019-08-21 | The the-events-calendar plugin before 4.8.2 for WordPress has XSS via the tribe_paged URL parameter. |
| CVE-2019-15112 | MEDIUM | 6.1 | 2019-08-21 | The wp-slimstat plugin before 4.8.1 for WordPress has XSS. |
| CVE-2019-15775 | MEDIUM | 6.1 | 2019-08-29 | The nd-learning plugin before 4.8 for WordPress has a nopriv_ AJAX action that allows modification of the siteurl setting. |
| CVE-2020-6850 | MEDIUM | 6.1 | 2020-02-17 | Utilities.php in the miniorange-saml-20-single-sign-on plugin before 4.8.84 for WordPress allows XSS via a crafted SAML XML Response to wp-login.php. This is related to the SAMLRe… |
| CVE-2020-11027 | MEDIUM | 6.1 | 2020-04-30 | In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password. Access would be needed to the email account of the user… |
| CVE-2021-24719 | MEDIUM | 6.1 | 2021-10-11 | The Enfold Enfold WordPress theme before 4.8.4 was vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability is present on Enfold versions previous than 4.8.4 which us… |
| CVE-2022-1220 | MEDIUM | 6.1 | 2022-07-11 | The FoxyShop WordPress plugin before 4.8.2 does not sanitise and escape a parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting |
| CVE-2024-13010 | MEDIUM | 6.1 | 2025-02-10 | The WP Foodbakery plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 4.8 due to insufficient input sanitization and output esca… |
| CVE-2025-58674 | MEDIUM | 5.9 | 2025-09-23 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the iss… |
| CVE-2020-11025 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires … |
| CVE-2020-11028 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been pat… |
| CVE-2020-11029 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been… |
| CVE-2020-4048 | MEDIUM | 5.7 | 2020-06-12 | In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect wh… |
| CVE-2024-3814 | MEDIUM | 5.5 | 2024-06-15 | The tagDiv Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'single' module in all versions up to, and including, 4.8 due to insufficien… |
| CVE-2017-14725 | MEDIUM | 5.4 | 2017-09-23 | Before version 4.8.2, WordPress was susceptible to an open redirect attack in wp-admin/edit-tag-form.php and wp-admin/user-edit.php. |
| CVE-2020-4046 | MEDIUM | 5.4 | 2020-06-12 | In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor… |
| CVE-2022-4653 | MEDIUM | 5.4 | 2023-01-16 | The Greenshift WordPress plugin before 4.8.9 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Sto… |
| CVE-2022-4666 | MEDIUM | 5.4 | 2023-02-21 | The Markup (JSON-LD) structured in schema.org WordPress plugin through 4.8.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/po… |
| CVE-2024-1157 | MEDIUM | 5.4 | 2024-02-13 | The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's button URL in all versions up to, and including, 4.8.0 due to insufficient… |
| CVE-2024-1160 | MEDIUM | 5.4 | 2024-02-13 | The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Icon Link in all versions up to, and including, 4.8.0 due to insufficient … |
| CVE-2024-2733 | MEDIUM | 5.4 | 2024-04-10 | The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's "Separator" element in all versions up to, and including, 4.8.8 due to ins… |
| CVE-2023-5254 | MEDIUM | 5.3 | 2023-10-19 | The ChatBot plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.8.9 via the qcld_wb_chatbot_check_user function. This can allo… |
| CVE-2023-5533 | MEDIUM | 5.3 | 2023-10-20 | The AI ChatBot plugin for WordPress is vulnerable to unauthorized use of AJAX actions due to missing capability checks on the corresponding functions in versions up to, and includ… |
| CVE-2024-12316 | MEDIUM | 5.3 | 2025-01-07 | The Jupiter X Core plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_popup_action() function in all versions up to,… |
| CVE-2026-0909 | MEDIUM | 5.3 | 2026-02-03 | The WP ULike plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.8.3.1. This is due to the `wp_ulike_delete_history_api`… |
| CVE-2026-5347 | MEDIUM | 5.3 | 2026-04-24 | The HM Books Gallery plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 4.8.0. This is due to the absence of capability checks and nonce v… |
| CVE-2024-32111 | MEDIUM | 5.0 | 2024-06-25 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Automattic WordPress allows Relative Path Traversal.This issue affects WordPress: f… |
| CVE-2021-36833 | MEDIUM | 4.8 | 2022-05-20 | Authenticated (admin or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in ibericode's MC4WP plugin <= 4.8.6 at WordPress. |
| CVE-2016-9263 | MEDIUM | 4.7 | 2017-10-12 | WordPress through 4.8.2, when domain-based flashmediaelement.swf sandboxing is not used, allows remote attackers to conduct cross-domain Flash injection (XSF) attacks by leveragin… |
| CVE-2023-5606 | MEDIUM | 4.4 | 2023-11-02 | The ChatBot for WordPress is vulnerable to Stored Cross-Site Scripting via the FAQ Builder in versions 4.8.6 through 4.9.6 due to insufficient input sanitization and output escapi… |
| CVE-2023-39999 | MEDIUM | 4.3 | 2023-10-13 | Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 thr… |
| CVE-2023-5534 | MEDIUM | 4.3 | 2023-10-20 | The AI ChatBot plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.8.9 and 4.9.2. This is due to missing or incorrect nonce valida… |
| CVE-2024-6688 | MEDIUM | 4.3 | 2024-08-27 | The Oxygen Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the oxy_save_css_from_admin AJAX action in all vers… |
| CVE-2024-8437 | MEDIUM | 4.3 | 2024-09-25 | The WP Easy Gallery – WordPress Gallery Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions hooked via AJAX lik… |
| CVE-2024-12033 | MEDIUM | 4.3 | 2025-01-07 | The Jupiter X Core plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the sync_libraries() function in all versions up to, and includin… |
| CVE-2025-58246 | MEDIUM | 4.3 | 2025-09-23 | Insertion of Sensitive Information Into Sent Data vulnerability in WordPress allows Retrieve Embedded Sensitive Data. The WordPress Core security team is aware of the issue and is… |
| CVE-2025-12847 | MEDIUM | 4.3 | 2025-11-15 | The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized arbitrary media attachment deletion due to a m… |
| CVE-2025-12358 | MEDIUM | 4.3 | 2025-12-03 | The ShopEngine Elementor WooCommerce Builder Addon plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.8.5. This is due to mis… |
| CVE-2025-11759 | MEDIUM | 4.3 | 2025-12-05 | The Backup, Restore and Migrate your sites with XCloner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.8.2. This is due t… |
| CVE-2020-4050 | LOW | 3.5 | 2020-06-12 | In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plu… |
| CVE-2025-10173 | LOW | 2.7 | 2025-09-26 | The ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution plugin for WordPress is vulnerable to unauthorized access due to an incorrect capability check… |
| CVE-2025-11888 | LOW | 2.7 | 2025-10-25 | The ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient… |
| CVE-2020-4049 | LOW | 2.4 | 2020-06-12 | In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes p… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 4.8 carries unacceptable security risks in 2024. With 10 critical vulnerabilities that allow SQL injection, account takeover, and file deletion, your website, customer data, and business reputation are at serious risk. The good news is that upgrading is straightforward and takes just minutes. Modern WordPress versions receive security patches regularly, and the upgrade process has become much more user-friendly.
Don't wait for a breach to happen. Use SiteRecipe.com's WordPress security scanner today to identify vulnerabilities across your entire site, receive step-by-step upgrade guidance, and get automated security monitoring. Our platform makes WordPress security maintenance effortless, so you can focus on running your business while we protect it. Start your free security scan now and upgrade with confidence.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.