    Home /
    Blog /
    wordpress 4.8.5
  

Security Advisory

WordPress 4.8.5: 7 Critical CVEs & Security Fixes

    📅 June 07, 2026
    ·⏱ 5 min read
    ·🔒 SiteRecipe Security Team
  

⚠ 21 websites still running wordpress 4.8.5 → View full list

Total

Critical

High

Medium

WordPress 4.8.5 is an older version that contains 7 known security vulnerabilities, including 2 critical flaws that could compromise your website. If you're still running this version, your site is at significant risk from attackers exploiting SQL injection attacks, unauthorized file access, and data breaches. This guide will help you identify if you're affected and provide step-by-step instructions to protect your WordPress installation.

What is Wordpress 4.8.5?

WordPress 4.8.5 is a legacy version released several years ago that many website owners may still be using, either because they haven't updated or their hosting environment doesn't support newer versions. While WordPress is one of the world's most popular website platforms, older versions lack critical security patches that protect against modern threats. Version 4.8.5 specifically has fallen behind significantly, with multiple plugins distributed through WordPress repositories containing dangerous vulnerabilities.

Key Vulnerabilities in Wordpress 4.8.5

7 CVEs found. The most critical are explained below.

CRITICAL CVE-2024-8436 9.9/10 · CVSS v3.1 ⏱ Immediate

WP Easy Gallery Plugin - Database Attack Vulnerability

A hacker can manipulate certain image editing features in the WP Easy Gallery plugin to inject malicious commands directly into your website's database. This happens because the plugin doesn't properly filter user inputs before sending them to the database.

Impact: An attacker could steal sensitive information from your database, modify your website content, create unauthorized admin accounts, or completely compromise your site's integrity.

↗ View on NVD

CRITICAL CVE-2023-5991 9.8/10 · CVSS v3.1 ⏱ Immediate

Hotel Booking Lite Plugin - Unauthorized File Access

The Hotel Booking Lite plugin has a critical flaw that allows anyone on the internet, even without a login, to download or delete files stored on your web server. The plugin fails to verify who is making the request or validate which files can be accessed.

Impact: Hackers could steal your entire website, customer data, booking information, and configuration files, or delete critical files to take your site offline completely.

↗ View on NVD

HIGH CVE-2024-9018 8.8/10 · CVSS v3.1 ⏱ Immediate

WP Easy Gallery Plugin - Advanced Database Attack

Similar to CVE-2024-8436, this is another way attackers can exploit the WP Easy Gallery plugin to manipulate your database by inserting malicious code through the search functionality. The plugin doesn't properly protect against these time-based database attacks.

Impact: Attackers could extract sensitive data from your database, modify records, or gain unauthorized access to administrative functions.

↗ View on NVD

MEDIUM CVE-2024-12316 5.3/10 · CVSS v3.1 ⏱ Within 7 days

Jupiter X Core - Unauthorized Template Export

The Jupiter X Core plugin doesn't properly check user permissions before allowing people to export popup templates. This means anyone visiting your site can download your popup designs and configurations without logging in.

Impact: Your proprietary designs and marketing templates could be stolen and reused by competitors, and sensitive configuration data could be exposed.

↗ View on NVD

MEDIUM CVE-2024-8437 4.3/10 · CVSS v3.1 ⏱ Within 7 days

WP Easy Gallery Plugin - Unauthorized Settings Access

The WP Easy Gallery plugin doesn't verify user permissions before allowing access to important settings through hidden AJAX requests. Logged-in users with minimal permissions can access and modify features they shouldn't have access to.

Impact: Malicious users could change gallery settings, add malicious galleries, or escalate their access privileges on your website.

↗ View on NVD

MEDIUM CVE-2024-12033 4.3/10 · CVSS v3.1 ⏱ Within 30 days

Jupiter X Core - Subscriber Permission Bypass

The Jupiter X Core plugin has a permission check flaw that allows even basic subscriber accounts to sync and update library content. These users should have very limited access but can perform administrative library functions instead.

Impact: Low-level users could modify website content libraries, introduce malicious elements, or disrupt website functionality through unauthorized library changes.

↗ View on NVD

Additional Vulnerabilities (1 more)

Showing first 10 of 1. View all on NVD ↗

CVE ID	Severity	Score	Published	Description
CVE-2025-12358	MEDIUM	4.3	2025-12-03	The ShopEngine Elementor WooCommerce Builder Addon plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.8.5. This is due to mis…

          Full Report Available
        

All 7 CVEs with AI explanations + fix guide

Plain English · Fix recommendations · Instant PDF & HTML download

⬇ Get Full Report

          PDF + HTML · Instant download
        

Is your website running Wordpress 4.8.5?

Scan your site in 30 seconds. Used by 500+ web agencies.

Scan my website — free 📋 See all 21 affected sites

How to Check If Your Website Is Affected

1 Log in to your WordPress admin dashboard and look for a notification banner or check Settings > General to see your current WordPress version number
2 Go to Plugins section and identify if you're using WP Easy Gallery, Hotel Booking Lite, or Jupiter X Core plugins, especially versions up to 4.8.5
3 Use a WordPress security scanner tool or contact your hosting provider to audit your entire installation for known vulnerabilities and outdated software

How to Fix These Vulnerabilities

1 Back up your entire WordPress site including the database before making any changes—use your hosting provider's backup tools or a plugin like UpdraftPlus
2 Update WordPress to the latest stable version (currently 6.4+) by going to Dashboard > Updates and clicking 'Update Now' for WordPress core
3 Update or remove vulnerable plugins: WP Easy Gallery, Hotel Booking Lite, and Jupiter X Core must be updated to versions after 4.8.5, or removed if no longer needed
4 Run a security scan using Wordfence, Sucuri, or similar tools to ensure all vulnerabilities are patched and no malicious code was injected during the vulnerable period

Conclusion

WordPress 4.8.5 is no longer safe for production websites. The 7 known vulnerabilities—especially the critical SQL injection flaws in WP Easy Gallery and Hotel Booking Lite—leave your site exposed to data theft, file manipulation, and complete compromise. Updating to the latest WordPress version and patching all plugins is not optional; it's essential for protecting your business, customer data, and website reputation. Use SiteRecipe.com's comprehensive WordPress security audit tools to identify vulnerabilities across your entire installation and receive actionable recommendations for securing your site today.

Frequently Asked Questions

What happens if attackers exploit these WordPress 4.8.5 vulnerabilities?

Attackers can execute SQL injection attacks to steal sensitive database information, download or delete arbitrary files from your server, and gain unauthorized access to administrative functions. This could lead to complete website takeover, malware installation, and theft of customer data including payment information and personal details.

Is it safe to skip updating from WordPress 4.8.5 to the latest version?

No, skipping updates is extremely dangerous. Each WordPress version includes security patches for newly discovered vulnerabilities. Running outdated software leaves you vulnerable to increasingly sophisticated attacks. Updates also improve performance, add features, and ensure compatibility with modern plugins and themes.

Will updating WordPress 4.8.5 break my website?

While major updates can occasionally cause compatibility issues with very old plugins or custom code, the risks of NOT updating are far greater. Always backup your site first, then update. Most modern WordPress sites update seamlessly. SiteRecipe.com can help identify potential compatibility issues before you update.

How long should I have been using WordPress 4.8.5?

WordPress 4.8.5 was released years ago and is now completely outdated. WordPress releases major updates regularly and provides security patches for current versions only. If your site is still on 4.8.5, you've likely missed years of security improvements and feature enhancements.

Can SiteRecipe.com help identify which vulnerabilities affect my site?

Yes, SiteRecipe.com's security scanning tools can audit your WordPress installation, detect your current version and plugins, and identify which specific CVEs pose a risk to your website. We provide detailed reports with prioritized remediation steps tailored to your specific setup.

Generate white-label reports for your clients

Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.

Free scan Agency plans 📋 21 affected sites

DISCLAIMER: This report is based on publicly available CVE data from the National Vulnerability Database (NVD) maintained by NIST. Detection of a technology version does not confirm active exploitation on any specific website. For informational purposes only. SiteRecipe is not responsible for actions taken based on this report. Always consult a qualified security professional.

Source: nvd.nist.gov · Published: June 07, 2026 · SiteRecipe.com