    Home /
    Blog /
    wordpress 4.8.6
  

Security Advisory

WordPress 4.8.6 Security Issues: 4 CVEs Explained

    📅 June 07, 2026
    ·⏱ 5 min read
    ·🔒 SiteRecipe Security Team
  

⚠ 18 websites still running wordpress 4.8.6 → View full list

Total

High

Medium

WordPress 4.8.6, released in 2017, is an outdated version still running on 18 websites worldwide. While older versions may seem harmless, this particular release contains 4 documented security vulnerabilities that can expose your site to serious attacks. These flaws range from Local File Inclusion (LFI) to Cross-Site Scripting (XSS), putting your website data and visitor information at risk.

If you're still using WordPress 4.8.6, your site could be vulnerable to attackers who exploit these known security holes. The good news? These issues are completely preventable with the right steps. This guide walks you through identifying if you're affected and implementing proper fixes to secure your WordPress installation.

What is Wordpress 4.8.6?

WordPress 4.8.6 is an older version of WordPress, the popular website building platform used by millions globally. Released in 2017, it's been succeeded by dozens of newer versions with improved features and security patches. Many websites still run older WordPress versions because updates can sometimes be delayed or forgotten, especially on smaller or abandoned sites.

Think of WordPress versions like software updates on your phone—each new version fixes bugs and closes security holes discovered in previous versions. Running WordPress 4.8.6 means you're missing years of security improvements and protection against modern threats. This outdated version is particularly risky because hackers know exactly which vulnerabilities exist and actively scan the internet for websites still using it.

Key Vulnerabilities in Wordpress 4.8.6

4 CVEs found. The most critical are explained below.

HIGH CVE-2025-12062 8.8/10 · CVSS v3.1 ⏱ Immediate

WP Maps Plugin Allows Unauthorized File Access

A security weakness in the WP Maps plugin (versions up to 4.8.6) allows people with basic user accounts to view files on your server that they shouldn't access. This is like leaving a side door unlocked that anyone with a visitor pass could open.

Impact: Attackers could read sensitive files like configuration files containing database passwords, API keys, or other private information stored on your server.

↗ View on NVD

MEDIUM CVE-2025-67535 6.6/10 · CVSS v3.1 ⏱ Within 7 days

WP Maps Plugin Data Corruption Risk

The WP Maps plugin has a vulnerability that allows attackers to manipulate how the plugin processes data, potentially corrupting your site's functionality. Think of it as someone being able to reprogram how your plugin behaves.

Impact: An attacker could inject malicious code or cause unexpected behavior in your map features, potentially affecting your website's performance or data integrity.

↗ View on NVD

MEDIUM CVE-2021-36833 4.8/10 · CVSS v3.1 ⏱ Within 30 days

MC4WP Email Plugin Admin Code Injection

The MC4WP email marketing plugin (version 4.8.6 and earlier) allows administrators to accidentally inject malicious code into your website. An admin account with bad intentions could insert harmful scripts.

Impact: Malicious code could be stored on your site and executed, potentially stealing visitor information, redirecting users, or spreading malware to your audience.

↗ View on NVD

MEDIUM CVE-2023-5606 4.4/10 · CVSS v3.1 ⏱ Within 30 days

ChatBot Plugin Admin Code Injection Risk

The ChatBot plugin's FAQ builder feature (versions 4.8.6-4.9.6) doesn't properly filter what administrators type in, allowing them to inject malicious code into your website. This requires someone with admin access to do it intentionally.

Impact: If a compromised admin account is used, harmful code could be injected into your FAQ section and executed on your website, affecting visitors.

↗ View on NVD

Is your website running Wordpress 4.8.6?

Scan your site in 30 seconds. Used by 500+ web agencies.

Scan my website — free 📋 See all 18 affected sites

How to Check If Your Website Is Affected

1 Log in to your WordPress admin dashboard and navigate to 'Dashboard' in the top left menu
2 Look at the bottom right section—it will display your current WordPress version number
3 If the version shows '4.8.6' or any number starting with '4.8.x', your site needs immediate attention
4 Alternatively, install the 'Version Info' plugin from the WordPress plugin directory to get detailed version information

How to Fix These Vulnerabilities

1 Back up your entire website first using a backup plugin like UpdraftPlus or your hosting provider's backup tool—this protects your data before making changes
2 Update WordPress to the latest stable version by going to Dashboard > Updates and clicking 'Update Now' for the core WordPress update
3 Update all your plugins and themes by checking the Updates section, as many vulnerabilities are in third-party plugins like WP Maps and MC4WP mentioned in the CVEs
4 After updating, test your website thoroughly to ensure all features work correctly, then monitor your site security using a WordPress security plugin like Wordfence or Sucuri

Conclusion

WordPress 4.8.6 poses serious security risks with its 4 known vulnerabilities affecting file access, data handling, and site content. The stakes are high—these vulnerabilities can lead to data theft, malware injection, and complete website compromise. Fortunately, updating to the latest WordPress version eliminates these risks entirely and provides years of additional security improvements.

Don't leave your website exposed to known attacks. Use SiteRecipe.com's comprehensive security scanning tool to identify vulnerabilities across your entire WordPress installation, get step-by-step remediation guidance, and continuously monitor for new threats. Our platform makes it easy to understand technical security issues in plain language and fix them quickly. Start your free security scan today and protect your website from the vulnerabilities affecting WordPress 4.8.6.

Frequently Asked Questions

Is WordPress 4.8.6 still supported by WordPress?

No, WordPress 4.8.6 is no longer supported. WordPress only provides security updates for the current version and one version back. Running unsupported versions means you won't receive patches for newly discovered vulnerabilities, making your site increasingly risky over time.

Can I update WordPress 4.8.6 without losing my content?

Yes, WordPress updates preserve all your content, posts, pages, and settings. However, you should always create a complete backup before updating. Some older plugins may not be compatible with newer WordPress versions, so test thoroughly after updating.

What's the difference between the CVEs listed for WordPress 4.8.6?

The vulnerabilities include Local File Inclusion (accessing files you shouldn't), Object Injection (manipulating code execution), and Stored XSS (injecting malicious scripts). Each poses different risks—LFI is the most severe (HIGH severity) and can expose sensitive files directly.

Do I need to update plugins if I update WordPress?

Yes, many plugins require updates for compatibility with newer WordPress versions. Always update your plugins, especially those flagged in vulnerability databases. Some older plugins may not work with current WordPress versions and should be replaced with maintained alternatives.

How often should I update WordPress?

Update WordPress as soon as major updates are released (usually monthly) and immediately for security releases. Enable automatic updates in WordPress settings to stay protected without manual effort. Regular updates are the best defense against new vulnerabilities.

Generate white-label reports for your clients

Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.

Free scan Agency plans 📋 18 affected sites

DISCLAIMER: This report is based on publicly available CVE data from the National Vulnerability Database (NVD) maintained by NIST. Detection of a technology version does not confirm active exploitation on any specific website. For informational purposes only. SiteRecipe is not responsible for actions taken based on this report. Always consult a qualified security professional.

Source: nvd.nist.gov · Published: June 07, 2026 · SiteRecipe.com