WordPress 4.8.9 contains 8 significant security vulnerabilities that put over 1,400 websites at risk. Three of these are classified as critical severity, including SQL injection, arbitrary file deletion, and directory traversal attacks that could compromise your entire site. If you're running this outdated version, immediate action is necessary to protect your data and your visitors' information.
This comprehensive guide will help you understand these vulnerabilities, determine if your site is affected, and implement the necessary security fixes. Whether you're a site owner or administrator, understanding these risks is the first step toward securing your WordPress installation.
WordPress 4.8.9 is an older version of WordPress, the popular platform that powers nearly 44% of all websites on the internet. This particular version was released to address earlier security issues, but security researchers have since discovered that it still contains multiple unpatched vulnerabilities. Many websites continue running outdated versions like 4.8.9 either because they're unaware of the risks or they depend on plugins that haven't been updated for newer WordPress versions.
The vulnerabilities in WordPress 4.8.9 primarily affect the ChatBot and AI ChatBot plugins, which are commonly used to add automated customer support features to websites. These plugins allow attackers to inject malicious code, delete files, access sensitive information, or take unauthorized actions—even without proper administrator permissions. The severity of these issues makes upgrading or patching your WordPress installation a critical priority.
8 CVEs found. The most critical are explained below.
This vulnerability allows hackers to trick the ChatBot plugin into revealing or manipulating your website's database without needing to log in. They do this by sending specially crafted requests that bypass the plugin's security checks.
Impact: Attackers could steal customer data, passwords, email addresses, or modify your website's content and settings without your knowledge.
↗ View on NVDThis vulnerability lets anyone with even a basic subscriber account (like a commenter) delete critical files from your web server. The plugin doesn't properly check permissions before allowing file deletion.
Impact: Attackers could delete essential website files, causing your site to crash, become inaccessible, or allowing complete takeover of your website.
↗ View on NVDThis flaw allows low-level users to access and modify files outside of where they should be allowed. They can insert malicious code into any file on your server by navigating through the file system.
Impact: Your website could be completely compromised, data stolen, or your site could be used to attack your visitors' computers.
↗ View on NVDThe Greenshift plugin doesn't properly filter user input in shortcodes, allowing contributors to inject malicious scripts. Once published, these scripts run for all visitors to your site.
Impact: Visitors' browsers could be infected with malware, their personal data stolen, or they could be redirected to malicious websites without your knowledge.
↗ View on NVDThe ChatBot plugin unintentionally reveals whether specific usernames exist on your site. Hackers can use this information to target accounts for password attacks.
Impact: Your user accounts become easier targets for hackers attempting to break in, potentially compromising customer data and account security.
↗ View on NVDThe ChatBot plugin doesn't verify user permissions for certain automated actions. Unauthenticated visitors can trigger functions they shouldn't have access to.
Impact: Attackers could perform unauthorized actions on your site like modifying settings, deleting content, or accessing restricted information.
↗ View on NVDShowing first 10 of 2. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2023-5534 | MEDIUM | 4.3 | 2023-10-20 | The AI ChatBot plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.8.9 and 4.9.2. This is due to missing or incorrect nonce valida… |
| CVE-2025-12847 | MEDIUM | 4.3 | 2025-11-15 | The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized arbitrary media attachment deletion due to a m… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 4.8.9 poses serious security risks that cannot be ignored. With three critical vulnerabilities affecting SQL injection, file deletion, and directory traversal attacks, your website and user data are in danger. The good news is that these threats are completely preventable through timely updates and proper security practices. Taking action today protects not only your site but also your visitors' trust and your business reputation.
SiteRecipe.com provides automated security scanning and vulnerability detection to identify outdated software, missing patches, and potential threats across your entire web infrastructure. Our platform continuously monitors for new CVEs and alerts you immediately when vulnerabilities affecting your systems are discovered. Don't wait for a breach to happen—use SiteRecipe.com to proactively scan your websites and get detailed remediation guidance tailored to your specific setup. Start your free security scan today and gain peace of mind knowing your sites are protected.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.