    Home /
    Blog /
    wordpress 4.8.4
  

Security Advisory

WordPress 4.8.4 Security Vulnerabilities: 2 CVEs Explained

    📅 June 07, 2026
    ·⏱ 5 min read
    ·🔒 SiteRecipe Security Team
  

⚠ 12 websites still running wordpress 4.8.4 → View full list

Total

Medium

Low

WordPress 4.8.4 is an older version of the popular content management system that powers millions of websites worldwide. While it was once a stable release, security researchers have discovered 2 documented vulnerabilities (CVEs) that could potentially compromise your website's safety. If you're running this version, it's crucial to understand these risks and take immediate action to protect your site.

These vulnerabilities range from medium to low severity, but they should never be ignored. Security threats evolve constantly, and attackers actively exploit known weaknesses in outdated software. In this comprehensive guide, we'll walk you through identifying if your site uses WordPress 4.8.4, understanding the specific vulnerabilities, and implementing fixes to secure your website.

What is Wordpress 4.8.4?

WordPress 4.8.4 is an older release of WordPress, the world's most popular website builder and content management system. Released several years ago, this version served millions of websites as a stable platform for creating and managing online content. Like all software, WordPress receives periodic updates to fix bugs, improve performance, and patch security holes as they're discovered.

Think of WordPress like your home's security system—when vulnerabilities (security weaknesses) are discovered, they need to be patched promptly. WordPress 4.8.4 is now considered outdated, and while it may still function, leaving it unpatched exposes your site to unnecessary risk. The vulnerabilities found in this version have been documented by security experts, meaning malicious actors know about them and may actively target websites still running it.

Key Vulnerabilities in Wordpress 4.8.4

2 CVEs found. The most critical are explained below.

MEDIUM CVE-2021-24719 6.1/10 · CVSS v3.1 ⏱ Within 7 days

Enfold Theme Security Flaw Allows Malicious Code Injection

The Enfold theme version 4.8.3 and earlier has a vulnerability that allows attackers to inject malicious code through specially crafted links. When visitors click these links, the malicious code runs in their browsers, potentially stealing their information or compromising their session.

Impact: Attackers could steal visitor data, session cookies, or credentials. Your website visitors could be redirected to malicious sites or have their browsers compromised without your knowledge.

↗ View on NVD

LOW CVE-2025-11888 2.7/10 · CVSS v3.1 ⏱ Within 30 days

ShopEngine Plugin Allows Unauthorized Store Changes

The ShopEngine WooCommerce plugin (version 4.8 and earlier) lacks proper permission checks on certain functions. This means someone with limited or no legitimate access could potentially modify your store settings without authorization.

Impact: Unauthorized users could change your product listings, pricing, store settings, or other critical WooCommerce data, disrupting your business operations and customer experience.

↗ View on NVD

Is your website running Wordpress 4.8.4?

Scan your site in 30 seconds. Used by 500+ web agencies.

Scan my website — free 📋 See all 12 affected sites

How to Check If Your Website Is Affected

1 Log into your WordPress admin dashboard and look at the bottom right corner of any page—you'll see your WordPress version number listed
2 Alternatively, go to Dashboard > Updates to see your current version and any available updates
3 If you see version 4.8.4 or any version below 6.0, your site is vulnerable and requires immediate attention

How to Fix These Vulnerabilities

1 Back up your entire website first—this protects all your content and database in case something goes wrong during the update process
2 Go to Dashboard > Updates and click 'Update Now' to install the latest WordPress version available for your site
3 Update all your plugins and themes, as outdated extensions may contain their own vulnerabilities (like the Enfold theme XSS issue mentioned)
4 Test your website thoroughly after updating to ensure all functionality works correctly, then monitor your site for any issues over the next 24-48 hours

Conclusion

Securing WordPress 4.8.4 is not optional—it's essential for protecting your website, your visitors' data, and your business reputation. The vulnerabilities we've discussed can allow attackers to steal information, inject malicious code, or compromise your site's functionality. By updating to the latest version and keeping all plugins and themes current, you'll eliminate these known risks and benefit from ongoing security improvements.

Don't let your website become an easy target for cybercriminals. Use SiteRecipe.com to scan your entire website for vulnerabilities, outdated software, and security gaps. Our advanced scanning technology identifies exactly what needs fixing, and our expert recommendations make it simple for you to take action. Visit SiteRecipe.com today for a free security assessment and take control of your website's safety.

Frequently Asked Questions

What exactly is CVE-2021-24719 and how does it affect my site?

CVE-2021-24719 is a Cross-Site Scripting (XSS) vulnerability found in the Enfold WordPress theme versions before 4.8.4. This means attackers could inject malicious scripts into your website that could steal visitor information or redirect users to harmful sites. If you're using the Enfold theme, updating it immediately is critical to close this security hole.

Is WordPress 4.8.4 still safe to use if I update my plugins and themes?

While updating plugins and themes helps, it's not enough. The WordPress core itself (version 4.8.4) has known vulnerabilities. You should upgrade to at least version 6.0 or later for current security patches. Continuing to run an outdated WordPress version is like having a broken lock on your front door—no amount of new furniture will fix the real problem.

How long does it take to update WordPress from 4.8.4 to the current version?

Most WordPress updates take 5-15 minutes depending on your site's size and complexity. However, we strongly recommend creating a full backup first, which may add another 10-30 minutes. If any issues arise, your backup allows you to restore your site quickly. Many users experience zero downtime with automatic WordPress updates.

Generate white-label reports for your clients

Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.

Free scan Agency plans 📋 12 affected sites

DISCLAIMER: This report is based on publicly available CVE data from the National Vulnerability Database (NVD) maintained by NIST. Detection of a technology version does not confirm active exploitation on any specific website. For informational purposes only. SiteRecipe is not responsible for actions taken based on this report. Always consult a qualified security professional.

Source: nvd.nist.gov · Published: June 07, 2026 · SiteRecipe.com