WordPress 4.8.2, released in 2017, contains 21 known security vulnerabilities that put your website at serious risk. With 128 websites still running this outdated version, attackers actively target these known weaknesses to gain unauthorized access, steal data, and inject malicious code. This comprehensive guide will help you identify if your site is vulnerable and take immediate action to protect your digital assets.
The most critical vulnerability is CVE-2017-14723, a SQL injection flaw that could allow attackers to manipulate your database directly. Combined with high-severity directory traversal attacks and weak password hashing algorithms, WordPress 4.8.2 represents a significant security liability that demands urgent attention.
WordPress 4.8.2 is an older version of the world's most popular website platform, released in September 2017. At the time, it was considered a stable release, but security researchers have since discovered multiple critical flaws that were not patched in this version. Think of it like an older car model—it may still run, but it lacks the safety features and protections of newer models that manufacturers have added after learning about new dangers on the road.
This version is particularly vulnerable because it was released before WordPress developers fully understood certain attack methods, and it lacks the security patches that have been implemented in newer versions. If your website is still running WordPress 4.8.2, it's like leaving your front door unlocked—attackers know about the vulnerability and actively exploit it against websites using this outdated software.
21 CVEs found. The most critical are explained below.
WordPress didn't properly protect its database from malicious commands when plugins or themes were used. Attackers could trick WordPress into running harmful database commands that steal or delete your data. This is a foundational security flaw that affects how WordPress handles requests.
Impact: An attacker could access your entire database, steal customer information, passwords, and private content, or delete your website data.
↗ View on NVDThe Oxygen Builder plugin (used to design pages visually) stores information in a way that allows lower-level users or attackers to run malicious code on your server. This essentially gives hackers direct control over your website's backend.
Impact: Complete website takeover: attackers can modify content, steal data, install malware, or use your server to attack other websites.
↗ View on NVDWhen WordPress extracts compressed files (like plugin or theme uploads), it doesn't properly check file paths. An attacker could upload a malicious compressed file that places code in unexpected locations on your server.
Impact: Attackers could install files outside your website folders to gain control of your server or access sensitive files they shouldn't see.
↗ View on NVDWordPress's theme customizer feature didn't validate file paths properly, allowing attackers to access or place files anywhere on your server by uploading a crafted theme file.
Impact: Unauthorized access to sensitive files on your server or the ability to place malicious code in unprotected locations.
↗ View on NVDWordPress uses an outdated, weak encryption method (MD5) to store passwords. If someone gains access to your database, they can relatively easily crack these passwords using modern computers.
Impact: If your database is compromised, attackers can crack user passwords and gain access to accounts, especially administrator accounts.
↗ View on NVDWordPress stores activation keys for new user accounts in plain text (unencrypted) in the database. If someone accesses your database, they can use these keys to activate accounts without permission.
Impact: Attackers could hijack new user account registrations and access your website as those users, potentially gaining admin privileges.
↗ View on NVDShowing first 10 of 15. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2026-8653 | MEDIUM | 6.5 | 2026-06-04 | The MasterStudy LMS Pro Plus plugin for WordPress is vulnerable to generic SQL Injection via the 'columns' parameter in all versions up to, and including, 4.8.20 due to insufficie… |
| CVE-2017-14718 | MEDIUM | 6.1 | 2017-09-23 | Before version 4.8.2, WordPress was susceptible to a Cross-Site Scripting attack in the link modal via a javascript: or data: URL. |
| CVE-2017-14720 | MEDIUM | 6.1 | 2017-09-23 | Before version 4.8.2, WordPress allowed a Cross-Site scripting attack in the template list view via a crafted template name. |
| CVE-2017-14721 | MEDIUM | 6.1 | 2017-09-23 | Before version 4.8.2, WordPress allowed Cross-Site scripting in the plugin editor via a crafted plugin name. |
| CVE-2017-14724 | MEDIUM | 6.1 | 2017-09-23 | Before version 4.8.2, WordPress was vulnerable to cross-site scripting in oEmbed discovery. |
| CVE-2017-14726 | MEDIUM | 6.1 | 2017-09-23 | Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor. |
| CVE-2019-15109 | MEDIUM | 6.1 | 2019-08-21 | The the-events-calendar plugin before 4.8.2 for WordPress has XSS via the tribe_paged URL parameter. |
| CVE-2022-1220 | MEDIUM | 6.1 | 2022-07-11 | The FoxyShop WordPress plugin before 4.8.2 does not sanitise and escape a parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting |
| CVE-2025-58674 | MEDIUM | 5.9 | 2025-09-23 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the iss… |
| CVE-2017-14725 | MEDIUM | 5.4 | 2017-09-23 | Before version 4.8.2, WordPress was susceptible to an open redirect attack in wp-admin/edit-tag-form.php and wp-admin/user-edit.php. |
| CVE-2024-32111 | MEDIUM | 5.0 | 2024-06-25 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Automattic WordPress allows Relative Path Traversal.This issue affects WordPress: f… |
| CVE-2016-9263 | MEDIUM | 4.7 | 2017-10-12 | WordPress through 4.8.2, when domain-based flashmediaelement.swf sandboxing is not used, allows remote attackers to conduct cross-domain Flash injection (XSF) attacks by leveragin… |
| CVE-2023-39999 | MEDIUM | 4.3 | 2023-10-13 | Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 thr… |
| CVE-2025-58246 | MEDIUM | 4.3 | 2025-09-23 | Insertion of Sensitive Information Into Sent Data vulnerability in WordPress allows Retrieve Embedded Sensitive Data. The WordPress Core security team is aware of the issue and is… |
| CVE-2025-11759 | MEDIUM | 4.3 | 2025-12-05 | The Backup, Restore and Migrate your sites with XCloner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.8.2. This is due t… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 4.8.2 is no longer safe for any website handling sensitive information or conducting online transactions. With 21 known vulnerabilities—including a critical SQL injection flaw—staying on this version puts your business, customer data, and reputation at serious risk. Upgrading to the latest WordPress version takes just minutes and is one of the most important security investments you can make.
Don't wait for a breach to force the issue. Use SiteRecipe.com's comprehensive security scanning tool to identify all vulnerabilities on your site, receive step-by-step upgrade guidance, and monitor your WordPress security going forward. Our platform makes it easy to stay protected with automated security checks and expert recommendations tailored to your specific setup.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.