WordPress 4.9.1 contains 28 known security vulnerabilities that could put your website at serious risk. With 2 critical-level CVEs and 4 high-severity issues, this outdated version is a target for hackers seeking unauthorized access and data theft. If your site is still running WordPress 4.9.1, you need to take action now to protect your business and customer data.
This comprehensive guide will help you understand the specific vulnerabilities affecting WordPress 4.9.1, identify if your site is at risk, and implement the security fixes needed to safeguard your WordPress installation. We'll walk you through each step of the process, from checking your current version to applying critical security patches.
WordPress 4.9.1 is an older version of the popular WordPress content management system, released in 2017. At the time of its release, it was considered secure, but security researchers have since discovered multiple vulnerabilities that attackers can exploit. This version is still used by approximately 120 websites worldwide, many of which may be unaware of the security risks they're facing.
Think of WordPress 4.9.1 like an older model car—it worked great when it was new, but newer safety features and security systems have been developed since then. Running this outdated version is like driving without modern airbags and security systems. Hackers specifically target older WordPress versions because they know about these published vulnerabilities and can easily exploit them.
28 CVEs found. The most critical are explained below.
The UserPro plugin has a security flaw that allows attackers to trick the system into thinking they are administrators without knowing the password. This happens if your site uses the common username 'admin' and the attacker modifies a specific web address parameter.
Impact: Hackers can gain complete control of your website, access all data, modify content, install malware, or lock you out of your own site.
↗ View on NVDThe AI ChatBot plugin allows attackers with basic user accounts to delete any file on your server, not just their own files. Even regular subscribers can exploit this to destroy critical website files.
Impact: Your website could be completely destroyed or rendered non-functional. Attackers can delete backups, configuration files, and other essential data.
↗ View on NVDWordPress versions before 4.9.1 use a weak security code when creating new user accounts that attackers can easily guess. This allows unauthorized access to sensitive account creation functions.
Impact: Attackers can create fake admin accounts, add unauthorized users, or modify existing user permissions without authentication.
↗ View on NVDFiles with specially crafted names uploaded to your media library can execute malicious code when someone views them. This requires an attacker to already have upload permissions.
Impact: Attackers can run harmful code on your server, steal data, or use your website to attack visitors.
↗ View on NVDThe WP Maps plugin doesn't properly validate user input in the location search feature, allowing attackers to inject malicious database commands. They can slowly extract sensitive information from your database.
Impact: Hackers can access customer data, passwords, email addresses, and other sensitive information stored in your WordPress database.
↗ View on NVDThe WP Maps Store Locator plugin has a flaw in its sorting feature that allows attackers to inject harmful database commands through the 'orderby' parameter.
Impact: Criminals can extract private customer information, database credentials, and other confidential data from your website.
↗ View on NVDShowing first 10 of 22. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2020-4047 | MEDIUM | 6.8 | 2020-06-12 | In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way.… |
| CVE-2020-11030 | MEDIUM | 6.4 | 2020-04-30 | In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authent… |
| CVE-2023-2300 | MEDIUM | 6.4 | 2023-06-03 | The Contact Form Builder by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'email' parameter in versions up to, and including, 4.9.1 due to insuff… |
| CVE-2020-11027 | MEDIUM | 6.1 | 2020-04-30 | In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password. Access would be needed to the email account of the user… |
| CVE-2024-8850 | MEDIUM | 6.1 | 2024-09-19 | The MC4WP: Mailchimp for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'email' parameter when a placeholder such as {email} is used for th… |
| CVE-2024-12469 | MEDIUM | 6.1 | 2024-12-17 | The WP BASE Booking of Appointments, Services and Events plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘status’ parameter in all versions up to, and… |
| CVE-2020-11025 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires … |
| CVE-2020-11028 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been pat… |
| CVE-2020-11029 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been… |
| CVE-2020-4048 | MEDIUM | 5.7 | 2020-06-12 | In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect wh… |
| CVE-2017-17092 | MEDIUM | 5.4 | 2017-12-02 | wp-includes/functions.php in WordPress before 4.9.1 does not require the unfiltered_html capability for upload of .js files, which might allow remote attackers to conduct XSS atta… |
| CVE-2017-17093 | MEDIUM | 5.4 | 2017-12-02 | wp-includes/general-template.php in WordPress before 4.9.1 does not properly restrict the lang attribute of an HTML element, which might allow attackers to conduct XSS attacks via… |
| CVE-2017-17094 | MEDIUM | 5.4 | 2017-12-02 | wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to conduct XSS attacks via a crafted URL. |
| CVE-2020-4046 | MEDIUM | 5.4 | 2020-06-12 | In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor… |
| CVE-2023-0275 | MEDIUM | 5.4 | 2023-02-13 | The Easy Accept Payments for PayPal WordPress plugin before 4.9.10 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where t… |
| CVE-2024-3269 | MEDIUM | 5.4 | 2024-05-30 | The Download Monitor plugin for WordPress is vulnerable to unauthorized access to functionality due to a missing capability check on the dlm_uninstall_plugin function in all versi… |
| CVE-2024-6158 | MEDIUM | 4.8 | 2024-08-12 | The Category Posts Widget WordPress plugin before 4.9.17, term-and-category-based-posts-widget WordPress plugin before 4.9.13 does not validate and escape some of its "Category Po… |
| CVE-2024-9638 | MEDIUM | 4.8 | 2025-01-07 | The Category Posts Widget WordPress plugin before 4.9.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored … |
| CVE-2024-8680 | MEDIUM | 4.4 | 2024-09-21 | The MC4WP: Mailchimp for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.9.16 due to insuffi… |
| CVE-2025-13149 | MEDIUM | 4.3 | 2025-11-21 | The Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories plugin for WordPress is vulnerable to unauthorized modification of d… |
| CVE-2020-4050 | LOW | 3.5 | 2020-06-12 | In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plu… |
| CVE-2020-4049 | LOW | 2.4 | 2020-06-12 | In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes p… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 4.9.1 contains serious security vulnerabilities that hackers actively exploit to gain unauthorized access to websites. The 2 critical vulnerabilities alone could allow attackers to delete your files or bypass authentication entirely. Staying on this outdated version puts your business reputation, customer trust, and sensitive data at serious risk.
Don't wait for a security breach to happen. Use SiteRecipe.com's free vulnerability scanner to instantly identify if your website is running outdated, vulnerable software. Our platform continuously monitors your site for security issues and alerts you to critical vulnerabilities before hackers can exploit them. Start your free security assessment today and get peace of mind knowing your WordPress installation is protected.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.