WordPress 4.9 is an outdated version released in 2017 that contains 114 known security vulnerabilities, including 8 critical flaws that could allow attackers to gain complete control of your website. Currently, 41 websites are still running this vulnerable version, putting their data and visitors at serious risk. If your site is among them, you need to take action immediately.
The most dangerous vulnerabilities in WordPress 4.9 include remote code execution attacks through popular plugins, PHP object injection flaws, and authentication bypass exploits. These aren't theoretical threats—they're actively exploited by cybercriminals to compromise websites daily. This guide will help you identify if your site is vulnerable and show you exactly how to fix it.
We've analyzed all 114 CVEs affecting WordPress 4.9 to create this comprehensive security guide. Whether you manage a small blog or a business website, understanding these risks and taking action is essential for protecting your online presence.
WordPress 4.9 is a content management system version released in November 2017. It's the software that powers the backend of millions of websites, allowing users to create, manage, and publish content without technical coding knowledge. WordPress 4.9 introduced features like the Gutenberg editor and improved media handling, making it easier for website owners to manage their sites.
However, WordPress 4.9 is now severely outdated. The WordPress development team has released dozens of major versions since then, each fixing critical security issues discovered in older versions. Continuing to use WordPress 4.9 is like leaving your front door unlocked—it might work, but the risks far outweigh any benefits. Modern versions include essential security patches that protect against evolving threats, while older versions become progressively more vulnerable as hackers find and exploit new weaknesses.
114 CVEs found. The most critical are explained below.
The UserPro plugin has a security flaw that allows attackers to log in as an administrator without knowing the password, but only if your admin account is named 'admin' (the default name). This is like someone being able to walk through a door that should be locked.
Impact: An attacker could gain complete control of your website, steal data, modify content, or install malware. Your entire site could be compromised.
↗ View on NVDThe VideoWhisper video conference plugin has a flaw in how it checks file types. Attackers can upload dangerous files disguised as harmless ones, allowing them to run malicious code on your server.
Impact: Hackers could execute any commands on your server, steal sensitive information, deface your website, or use it to attack other sites.
↗ View on NVDWordPress versions before 4.9.9 have a flaw in how they process media files through XML-RPC requests. Attackers can inject malicious code through specially crafted requests, even with contributor-level access.
Impact: Attackers could inject and execute harmful code on your website, potentially taking it over or stealing data.
↗ View on NVDThe WPLMS Learning Management System plugin doesn't properly check user permissions before allowing file access. This means unauthorized people can read or delete files on your server.
Impact: Attackers could access confidential files, delete critical website data, or cause your site to stop working.
↗ View on NVDThe Product Options and Price Calculation plugin for WooCommerce doesn't properly validate file uploads. Attackers can upload malicious files (like executable code) disguised as legitimate documents.
Impact: Malicious files uploaded to your server could be executed to hack your site, steal customer data, or spread malware.
↗ View on NVDThe AI ChatBot plugin has a permission flaw that lets even low-level user accounts (subscribers) delete any file on your server. This shouldn't be possible—only administrators should have this power.
Impact: Attackers or disgruntled users could delete critical website files, causing your site to malfunction or become inaccessible.
↗ View on NVDShowing first 10 of 108. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2023-5241 | CRITICAL | 9.6 | 2023-10-19 | The AI ChatBot for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.8.9 as well as 4.9.2 via the qcld_openai_upload_pagetraining_file function. T… |
| CVE-2024-2472 | CRITICAL | 9.1 | 2024-06-14 | The LatePoint Plugin plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the 'start_or_use_session_for_… |
| CVE-2017-17091 | HIGH | 8.8 | 2017-12-02 | wp-admin/user-new.php in WordPress before 4.9.1 sets the newbloguser key to a string that can be directly derived from the user ID, which allows remote attackers to bypass intende… |
| CVE-2018-12895 | HIGH | 8.8 | 2018-06-26 | WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is passed to the PHP unlink… |
| CVE-2017-1000600 | HIGH | 8.8 | 2018-09-06 | WordPress version <4.9 contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution. This attack appears to be exploitable via… |
| CVE-2018-1000773 | HIGH | 8.8 | 2018-09-06 | WordPress version 4.9.8 and earlier contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution due to an incomplete fix for … |
| CVE-2019-8942 | HIGH | 8.8 | 2019-02-20 | WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending wit… |
| CVE-2023-0630 | HIGH | 8.8 | 2023-03-20 | The Slimstat Analytics WordPress plugin before 4.9.3.3 does not prevent subscribers from rendering shortcodes that concatenates attributes directly into an SQL query. |
| CVE-2024-8247 | HIGH | 8.8 | 2024-09-06 | The Newsletters plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 4.9.9.2. This is due to the plugin not restricting what user meta … |
| CVE-2020-11026 | HIGH | 8.7 | 2020-04-30 | In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an au… |
| CVE-2024-31210 | HIGH | 7.6 | 2024-04-04 | WordPress is an open publishing platform for the Web. It's possible for a file of a type other than a zip file to be submitted as a new plugin by an administrative user on the Plu… |
| CVE-2024-9624 | HIGH | 7.6 | 2024-12-17 | The WP All Import Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.9.3 due to missing SSRF protection on the pmxi_curl… |
| CVE-2018-6389 | HIGH | 7.5 | 2018-02-06 | In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script… |
| CVE-2018-20151 | HIGH | 7.5 | 2018-12-14 | In WordPress before 4.9.9 and 5.x before 5.0.1, the user-activation page could be read by a search engine's web crawler if an unusual configuration were chosen. The search engine … |
| CVE-2024-24926 | HIGH | 7.5 | 2024-02-12 | Deserialization of Untrusted Data vulnerability in UnitedThemes Brooklyn | Creative Multi-Purpose Responsive WordPress Theme.This issue affects Brooklyn | Creative Multi-Purpose R… |
| CVE-2025-7402 | HIGH | 7.5 | 2025-11-24 | The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to time-based SQL Injection via the ‘site_id’ parameter in all versions up to, … |
| CVE-2026-3222 | HIGH | 7.5 | 2026-03-11 | The WP Maps plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'location_id' parameter in all versions up to, and including, 4.9.1. This is due to the pl… |
| CVE-2026-2580 | HIGH | 7.5 | 2026-03-23 | The WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter… |
| CVE-2026-6381 | HIGH | 7.5 | 2026-05-18 | The WP Maps WordPress plugin before 4.9.3 does not properly sanitize a parameter before using it in a file path, allowing authenticated users to perform Local File Inclusion atta… |
| CVE-2024-7027 | HIGH | 7.3 | 2024-07-24 | The WooCommerce - PDF Vouchers plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 4.9.3. This is due to insufficient verification on the… |
| CVE-2018-14028 | HIGH | 7.2 | 2018-08-10 | In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extr… |
| CVE-2023-4797 | HIGH | 7.2 | 2024-01-16 | The Newsletters WordPress plugin before 4.9.3 does not properly escape user-controlled parameters when they are appended to SQL queries and shell commands, which could enable an a… |
| CVE-2024-9664 | HIGH | 7.2 | 2025-02-07 | The WP All Import Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.9.7 via deserialization of untrusted input from an import … |
| CVE-2025-2009 | HIGH | 7.2 | 2025-03-26 | The Newsletters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the logging functionality in all versions up to, and including, 4.9.9.7 due to insufficient i… |
| CVE-2025-4857 | HIGH | 7.2 | 2025-05-31 | The Newsletters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.9.9.9 via the 'file' parameter. This makes it possible for authe… |
| CVE-2026-1320 | HIGH | 7.2 | 2026-02-12 | The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'X-Forwarded-For' HTTP header in all versions up t… |
| CVE-2026-3718 | HIGH | 7.2 | 2026-05-14 | The ManageWP Worker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'MWP-Key-Name' HTTP request header in all versions up to, and including, 4.9.31. This… |
| CVE-2024-24927 | HIGH | 7.1 | 2024-02-12 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UnitedThemes Brooklyn | Creative Multi-Purpose Responsive WordPress Theme all… |
| CVE-2020-4047 | MEDIUM | 6.8 | 2020-06-12 | In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way.… |
| CVE-2018-20147 | MEDIUM | 6.5 | 2018-12-14 | In WordPress before 4.9.9 and 5.x before 5.0.1, authors could modify metadata to bypass intended restrictions on deleting files. |
| CVE-2018-20152 | MEDIUM | 6.5 | 2018-12-14 | In WordPress before 4.9.9 and 5.x before 5.0.1, authors could bypass intended restrictions on post types via crafted input. |
| CVE-2024-12558 | MEDIUM | 6.5 | 2024-12-21 | The WP BASE Booking of Appointments, Services and Events plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_db funct… |
| CVE-2024-12415 | MEDIUM | 6.5 | 2025-01-31 | The The AI Infographic Maker plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.9.0. This is due to the software allowing … |
| CVE-2025-3107 | MEDIUM | 6.5 | 2025-05-13 | The Newsletters plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby' parameter in all versions up to, and including, 4.9.9.8 due to insufficient escapi… |
| CVE-2025-10175 | MEDIUM | 6.5 | 2025-10-11 | The WP Links Page plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 4.9.6 due to insufficient escaping on the user s… |
| CVE-2020-11030 | MEDIUM | 6.4 | 2020-04-30 | In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authent… |
| CVE-2023-2300 | MEDIUM | 6.4 | 2023-06-03 | The Contact Form Builder by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'email' parameter in versions up to, and including, 4.9.1 due to insuff… |
| CVE-2024-10181 | MEDIUM | 6.4 | 2024-10-29 | The Newsletters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's newsletters_video shortcode in all versions up to, and including, 4.9.9.4 due to… |
| CVE-2025-3527 | MEDIUM | 6.4 | 2025-05-17 | The EventON Pro plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'assets/lib/settings/settings.js' file in all vers… |
| CVE-2025-4590 | MEDIUM | 6.4 | 2025-05-31 | The Daisycon prijsvergelijkers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'daisycon_uitvaart' shortcode in all versions up to, and includin… |
| CVE-2025-9128 | MEDIUM | 6.4 | 2025-09-11 | The eID Easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 4.9.3 due to insufficient input sanitiz… |
| CVE-2026-0609 | MEDIUM | 6.4 | 2026-03-21 | The Logo Slider – Logo Carousel, Logo Showcase & Client Logo Slider Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image alt text in all versions… |
| CVE-2026-3722 | MEDIUM | 6.4 | 2026-06-02 | The Auto Image Attributes From Filename With Bulk Updater (Add Alt Text, Image Title For Image SEO) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the attac… |
| CVE-2022-29434 | MEDIUM | 6.3 | 2022-05-20 | Insecure Direct Object References (IDOR) vulnerability in Spiffy Plugins Spiffy Calendar <= 4.9.0 at WordPress allows an attacker to edit or delete events. |
| CVE-2018-5776 | MEDIUM | 6.1 | 2018-01-18 | WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement). |
| CVE-2018-10100 | MEDIUM | 6.1 | 2018-04-16 | Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS. |
| CVE-2018-10101 | MEDIUM | 6.1 | 2018-04-16 | Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server. |
| CVE-2018-10102 | MEDIUM | 6.1 | 2018-04-16 | Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag. |
| CVE-2018-16285 | MEDIUM | 6.1 | 2018-09-06 | The UserPro plugin through 4.9.23 for WordPress allows XSS via the shortcode parameter in a userpro_shortcode_template action to wp-admin/admin-ajax.php. |
| CVE-2018-20150 | MEDIUM | 6.1 | 2018-12-14 | In WordPress before 4.9.9 and 5.x before 5.0.1, crafted URLs could trigger XSS for certain use cases involving plugins. |
| CVE-2019-14470 | MEDIUM | 6.1 | 2019-09-04 | cosenary Instagram-PHP-API (aka Instagram PHP API V2), as used in the UserPro plugin through 4.9.32 for WordPress, has XSS via the example/success.php error_description parameter. |
| CVE-2020-11027 | MEDIUM | 6.1 | 2020-04-30 | In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password. Access would be needed to the email account of the user… |
| CVE-2022-4310 | MEDIUM | 6.1 | 2023-01-09 | The Slimstat Analytics WordPress plugin before 4.9.3 does not sanitise and escape the URI when logging requests, which could allow unauthenticated attackers to perform Stored Cros… |
| CVE-2023-1978 | MEDIUM | 6.1 | 2023-06-09 | The ShiftController Employee Shift Scheduling plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the query string in versions up to, and including, 4.9.25 du… |
| CVE-2024-8850 | MEDIUM | 6.1 | 2024-09-19 | The MC4WP: Mailchimp for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'email' parameter when a placeholder such as {email} is used for th… |
| CVE-2024-9435 | MEDIUM | 6.1 | 2024-10-04 | The ShiftController Employee Shift Scheduling plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL keys in all versions up to, and including, 4.9.66 due to… |
| CVE-2024-12469 | MEDIUM | 6.1 | 2024-12-17 | The WP BASE Booking of Appointments, Services and Events plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘status’ parameter in all versions up to, and… |
| CVE-2024-13739 | MEDIUM | 6.1 | 2025-03-22 | The Newsletters plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the "to" parameter in all versions up to, and including, 4.9.9.7 due to insufficient input… |
| CVE-2025-5807 | MEDIUM | 6.1 | 2025-07-10 | The Gwolle Guestbook plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘gwolle_gb_content’ parameter in all versions up to, and including, 4.9.2 due to ins… |
| CVE-2025-13153 | MEDIUM | 6.1 | 2026-01-02 | The Logo Slider WordPress plugin before 4.9.0 does not validate and escape some of its slider options before outputting them back in the dashboard, which could allow users with t… |
| CVE-2025-58674 | MEDIUM | 5.9 | 2025-09-23 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the iss… |
| CVE-2020-11025 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires … |
| CVE-2020-11028 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been pat… |
| CVE-2020-11029 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been… |
| CVE-2025-13391 | MEDIUM | 5.8 | 2026-02-11 | The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability … |
| CVE-2020-4048 | MEDIUM | 5.7 | 2020-06-12 | In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect wh… |
| CVE-2024-8722 | MEDIUM | 5.5 | 2025-01-19 | The Import any XML or CSV File to WordPress PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 4.9.7 … |
| CVE-2017-17092 | MEDIUM | 5.4 | 2017-12-02 | wp-includes/functions.php in WordPress before 4.9.1 does not require the unfiltered_html capability for upload of .js files, which might allow remote attackers to conduct XSS atta… |
| CVE-2017-17093 | MEDIUM | 5.4 | 2017-12-02 | wp-includes/general-template.php in WordPress before 4.9.1 does not properly restrict the lang attribute of an HTML element, which might allow attackers to conduct XSS attacks via… |
| CVE-2017-17094 | MEDIUM | 5.4 | 2017-12-02 | wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to conduct XSS attacks via a crafted URL. |
| CVE-2018-20149 | MEDIUM | 5.4 | 2018-12-14 | In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS… |
| CVE-2018-20153 | MEDIUM | 5.4 | 2018-12-14 | In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could modify new comments made by users with greater privileges, possibly causing XSS. |
| CVE-2020-4046 | MEDIUM | 5.4 | 2020-06-12 | In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor… |
| CVE-2022-25599 | MEDIUM | 5.4 | 2022-02-21 | Cross-Site Request Forgery (CSRF) vulnerability leading to event deletion was discovered in Spiffy Calendar WordPress plugin (versions <= 4.9.0). |
| CVE-2023-0275 | MEDIUM | 5.4 | 2023-02-13 | The Easy Accept Payments for PayPal WordPress plugin before 4.9.10 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where t… |
| CVE-2024-3269 | MEDIUM | 5.4 | 2024-05-30 | The Download Monitor plugin for WordPress is vulnerable to unauthorized access to functionality due to a missing capability check on the dlm_uninstall_plugin function in all versi… |
| CVE-2025-14718 | MEDIUM | 5.4 | 2026-01-09 | The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9.3. This is due to the plugi… |
| CVE-2023-5533 | MEDIUM | 5.3 | 2023-10-20 | The AI ChatBot plugin for WordPress is vulnerable to unauthorized use of AJAX actions due to missing capability checks on the corresponding functions in versions up to, and includ… |
| CVE-2024-0855 | MEDIUM | 5.3 | 2024-02-27 | The Spiffy Calendar WordPress plugin before 4.9.9 doesn't check the event_author parameter, and allows any user to alter it when creating an event, leading to deceiving users/admi… |
| CVE-2024-7411 | MEDIUM | 5.3 | 2024-08-15 | The Newsletters plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 4.9.9. This is due the plugin not preventing direct access to the … |
| CVE-2024-10861 | MEDIUM | 5.3 | 2024-11-16 | The Popup Box – Create Countdown, Coupon, Video, Contact Form Popups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on t… |
| CVE-2025-10637 | MEDIUM | 5.3 | 2025-10-25 | The Social Feed Gallery plugin for WordPress is vulnerable to Information Exposure in versions less than, or equal to, 4.9.2. This is due to the plugin not properly verifying that… |
| CVE-2025-14442 | MEDIUM | 5.3 | 2025-12-12 | The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to sensitive information exposure due to storage of exported CSV files in a publicly acce… |
| CVE-2026-3506 | MEDIUM | 5.3 | 2026-03-21 | The WP-Chatbot for Messenger plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9. This is due to the plugin not properly verifying… |
| CVE-2024-32111 | MEDIUM | 5.0 | 2024-06-25 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Automattic WordPress allows Relative Path Traversal.This issue affects WordPress: f… |
| CVE-2024-6158 | MEDIUM | 4.8 | 2024-08-12 | The Category Posts Widget WordPress plugin before 4.9.17, term-and-category-based-posts-widget WordPress plugin before 4.9.13 does not validate and escape some of its "Category Po… |
| CVE-2024-9638 | MEDIUM | 4.8 | 2025-01-07 | The Category Posts Widget WordPress plugin before 4.9.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored … |
| CVE-2025-1453 | MEDIUM | 4.8 | 2025-04-24 | The Category Posts Widget WordPress plugin before 4.9.20 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored … |
| CVE-2024-8702 | MEDIUM | 4.8 | 2025-05-15 | The Backup Database WordPress plugin through 4.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Si… |
| CVE-2023-5606 | MEDIUM | 4.4 | 2023-11-02 | The ChatBot for WordPress is vulnerable to Stored Cross-Site Scripting via the FAQ Builder in versions 4.8.6 through 4.9.6 due to insufficient input sanitization and output escapi… |
| CVE-2024-8680 | MEDIUM | 4.4 | 2024-09-21 | The MC4WP: Mailchimp for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.9.16 due to insuffi… |
| CVE-2024-8488 | MEDIUM | 4.4 | 2024-10-08 | The Survey Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Survey fields in all versions up to, and including, 4.9.7 due to insufficient input sanitiza… |
| CVE-2026-9594 | MEDIUM | 4.4 | 2026-06-06 | The WP Maps – Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory & Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'location_messag… |
| CVE-2015-9418 | MEDIUM | 4.3 | 2019-09-26 | The Watu Pro plugin before 4.9.0.8 for WordPress has CSRF that allows an attacker to delete quizzes. |
| CVE-2023-39999 | MEDIUM | 4.3 | 2023-10-13 | Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 thr… |
| CVE-2023-5534 | MEDIUM | 4.3 | 2023-10-20 | The AI ChatBot plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.8.9 and 4.9.2. This is due to missing or incorrect nonce valida… |
| CVE-2023-6897 | MEDIUM | 4.3 | 2024-04-18 | The EAN for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.9.2 via the the 'alg_wc_ean_product_meta' sh… |
| CVE-2024-6465 | MEDIUM | 4.3 | 2024-07-13 | The WP Links Page plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wplf_ajax_update_screenshots' function in all v… |
| CVE-2024-9661 | MEDIUM | 4.3 | 2025-02-07 | The WP All Import Pro plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.9.7. This is due to missing nonce validation on the … |
| CVE-2025-58246 | MEDIUM | 4.3 | 2025-09-23 | Insertion of Sensitive Information Into Sent Data vulnerability in WordPress allows Retrieve Embedded Sensitive Data. The WordPress Core security team is aware of the issue and is… |
| CVE-2025-13149 | MEDIUM | 4.3 | 2025-11-21 | The Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories plugin for WordPress is vulnerable to unauthorized modification of d… |
| CVE-2025-14159 | MEDIUM | 4.3 | 2025-12-12 | The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.9.2. This is due to… |
| CVE-2025-13741 | MEDIUM | 4.3 | 2025-12-16 | The Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories plugin for WordPress is vulnerable to unauthorized access of data du… |
| CVE-2025-14384 | MEDIUM | 4.3 | 2026-01-16 | The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability che… |
| CVE-2026-5075 | MEDIUM | 4.3 | 2026-05-20 | The All in One SEO plugin for WordPress is vulnerable to Sensitive Information Exposure via 'internalOptions' localized script data in versions up to, and including, 4.9.7 due to … |
| CVE-2026-7526 | MEDIUM | 4.3 | 2026-05-28 | The PDF Embedder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.9.3 via the enqueue_block_assets. This makes it possi… |
| CVE-2020-4050 | LOW | 3.5 | 2020-06-12 | In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plu… |
| CVE-2020-4049 | LOW | 2.4 | 2020-06-12 | In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes p… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 4.9 is a security liability that puts your website, user data, and business reputation at serious risk. With 8 critical vulnerabilities and 26 high-severity flaws, staying on this version is like inviting hackers into your site. The good news is that upgrading is straightforward and takes less than an hour for most websites.
Don't leave your website vulnerable another day. SiteRecipe.com provides comprehensive security monitoring and automated vulnerability scanning that identifies outdated versions and dangerous plugins in real-time. Our platform alerts you instantly when new CVEs are discovered and provides step-by-step remediation guides tailored to your specific WordPress setup. Start your free security scan today and get peace of mind knowing your website is protected against the latest threats.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.