    Home /
    Blog /
    wordpress 4.8.7
  

Security Advisory

WordPress 4.8.7 Security: 5 Critical CVEs Explained

    📅 June 07, 2026
    ·⏱ 5 min read
    ·🔒 SiteRecipe Security Team
  

⚠ 32 websites still running wordpress 4.8.7 → View full list

Total

High

Medium

WordPress 4.8.7 contains 5 significant security vulnerabilities that could put your website at risk. While no critical-level flaws have been discovered, one high-severity vulnerability affecting the Jupiter X Core plugin allows authenticated attackers to execute remote code on your site. This version is currently running on 32 websites, making it a prime target for hackers looking to exploit outdated installations.

If you're still using WordPress 4.8.7, you need to take immediate action to protect your site. The vulnerabilities range from Local File Inclusion to Remote Code Execution, Directory Traversal, and multiple Cross-Site Scripting (XSS) attacks through popular plugins. This guide will help you identify whether your site is vulnerable and walk you through the essential steps to secure it.

Understanding these threats is the first step toward protecting your website. Even if you're not a technical expert, following our straightforward recommendations will significantly reduce your risk of being compromised.

What is Wordpress 4.8.7?

WordPress 4.8.7 is an older version of WordPress, the world's most popular website creation platform. Released several years ago, this version allowed millions of website owners to build and manage their sites without needing advanced coding knowledge. However, like all software, WordPress 4.8.7 was eventually superseded by newer versions that include better security features and performance improvements.

This version becomes problematic when combined with certain plugins that have their own security flaws. While WordPress core itself may be relatively stable, vulnerable plugins like Jupiter X Core, EAN for WooCommerce, and WP Maps can create dangerous entry points for attackers. When plugins aren't updated alongside your WordPress installation, these security gaps can be exploited to steal data, inject malicious code, or take complete control of your website.

Key Vulnerabilities in Wordpress 4.8.7

5 CVEs found. The most critical are explained below.

HIGH CVE-2025-0366 8.8/10 · CVSS v3.1 ⏱ Immediate

Jupiter X Core Plugin - Attackers Can Run Malicious Code

A dangerous flaw in the Jupiter X Core plugin allows people with editor or contributor access to your site to upload and run harmful code. This is like giving someone the keys to your website's engine room. If a disgruntled employee or hacked account gains this access, they can take complete control of your site.

Impact: An attacker could steal all your data, modify your website content, install malware, or use your site to attack visitors. Your business reputation and customer trust could be severely damaged.

↗ View on NVD

MEDIUM CVE-2025-0365 6.5/10 · CVSS v3.1 ⏱ Immediate

Jupiter X Core Plugin - Attackers Can Read Secret Files

Another flaw in Jupiter X Core lets contributors peek at files they shouldn't access, like configuration files containing database passwords and API keys. Think of it as someone finding a way to read locked filing cabinets in your office.

Impact: Attackers could discover sensitive information needed to break into your website more deeply, compromise customer data, or access your hosting account credentials.

↗ View on NVD

MEDIUM CVE-2023-6892 6.4/10 · CVSS v3.1 ⏱ Within 7 days

EAN for WooCommerce - Stored Malicious Code Injection

The EAN for WooCommerce plugin has a flaw where malicious code can be permanently stored on your site through product data. When customers view these products, the code runs in their browsers, potentially stealing their information.

Impact: Customers could have their personal or payment information stolen, your site could be blacklisted by search engines, and you could face legal liability for security breaches.

↗ View on NVD

MEDIUM CVE-2025-13364 6.4/10 · CVSS v3.1 ⏱ Within 7 days

WP Maps Plugin - Malicious Code Injection in Maps Display

The WP Maps plugin doesn't properly filter data in map shortcodes, allowing attackers to inject malicious code that gets permanently stored and executed. This affects any visitor viewing those maps.

Impact: Visitors' browsers could be compromised, personal data could be stolen, and your site's credibility would be damaged if malware is detected.

↗ View on NVD

MEDIUM CVE-2019-12346 6.1/10 · CVSS v3.0 ⏱ Within 7 days

miniOrange SAML Plugin - Login System Security Flaw

The miniOrange single sign-on plugin has a vulnerability in how it processes login information from external sources. Attackers can craft fake login requests that inject malicious code into the login process.

Impact: User accounts could be compromised, login credentials could be stolen, or your site could be used to spread malware to users trying to log in.

↗ View on NVD

Is your website running Wordpress 4.8.7?

Scan your site in 30 seconds. Used by 500+ web agencies.

Scan my website — free 📋 See all 32 affected sites

How to Check If Your Website Is Affected

1 Log in to your WordPress dashboard and go to the bottom left corner. You'll see 'WordPress 4.8.7' listed—this confirms your version.
2 Check your installed plugins by navigating to Plugins > Installed Plugins. Look for Jupiter X Core, EAN for WooCommerce, WP Maps, and miniOrange SAML SP Single Sign On plugins.
3 For each vulnerable plugin found, note its version number. If any are at or below version 4.8.7 (for most plugins) or 4.8.73 (for miniOrange), your site is at risk.

How to Fix These Vulnerabilities

1 First, backup your entire website immediately using your hosting control panel or a backup plugin. This ensures you can recover if something goes wrong during updates.
2 Update WordPress to the latest version by going to Dashboard > Updates and clicking 'Update Now'. This process typically takes just a few minutes.
3 Update all plugins to their latest versions by navigating to Plugins > Installed Plugins, checking the vulnerable plugins, and clicking 'Update Plugins'. Disable plugins you don't actively use.
4 After updates are complete, test your website thoroughly—check all key pages, forms, and functionality to ensure everything works as expected. If issues arise, use your backup to restore.

Conclusion

WordPress 4.8.7 is outdated and poses genuine security risks to your website. The combination of one high-severity vulnerability and four medium-level flaws—particularly those involving Remote Code Execution and Cross-Site Scripting—means your site could be compromised by attackers. The good news is that updating WordPress and your plugins is a straightforward process that takes just minutes and immediately closes these security gaps.

Don't wait until your site is hacked to take action. Use SiteRecipe.com's comprehensive security scanning tool to identify vulnerabilities across your entire WordPress installation, check plugin compatibility, and receive personalized recommendations for securing your site. Our platform makes it easy to monitor your WordPress health continuously, ensuring you stay protected against emerging threats. Start your free scan today and take control of your website's security.

Frequently Asked Questions

Is WordPress 4.8.7 still supported with security updates?

No, WordPress 4.8.7 is no longer supported by the WordPress team. Security updates are only provided for the current version and a few previous releases. Running unsupported versions leaves your site vulnerable to newly discovered exploits that won't receive patches.

Can I update WordPress without losing my website content?

Yes, absolutely. WordPress updates are designed to preserve all your content, pages, posts, and settings. A proper backup before updating ensures you can recover quickly if any issues occur, but data loss from standard updates is extremely rare.

What happens if I don't update these vulnerable plugins?

Leaving vulnerable plugins unpatched allows attackers to exploit known security flaws. In the case of Jupiter X Core's RCE vulnerability, attackers could gain complete control of your website, steal data, inject malware, or use your site to attack other websites. Immediate updates are critical.

Will updating WordPress break my theme or plugins?

Most compatibility issues are rare when updating to reasonably recent WordPress versions. However, very old themes or poorly-coded plugins might have problems. This is why backing up before updating is essential—it lets you test safely and restore if needed.

How often should I update WordPress?

Update WordPress as soon as updates are available, especially security updates. For plugins, check for updates at least monthly. Enabling automatic updates in your WordPress settings is the easiest way to stay protected without manual work.

Generate white-label reports for your clients

Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.

Free scan Agency plans 📋 32 affected sites

DISCLAIMER: This report is based on publicly available CVE data from the National Vulnerability Database (NVD) maintained by NIST. Detection of a technology version does not confirm active exploitation on any specific website. For informational purposes only. SiteRecipe is not responsible for actions taken based on this report. Always consult a qualified security professional.

Source: nvd.nist.gov · Published: June 07, 2026 · SiteRecipe.com