WordPress 4.9.2 contains 22 known security vulnerabilities that put your website at serious risk. Two of these are classified as CRITICAL, meaning attackers can exploit them to delete files, access sensitive data, and compromise your entire site. If you're still running this outdated version, your website is a target.
With 53 websites still using WordPress 4.9.2, many site owners are unaware of the dangers lurking in their installations. The vulnerabilities range from arbitrary file deletion to directory traversal attacks that allow unauthorized access. This guide will help you identify if your site is vulnerable and show you exactly how to fix it.
WordPress 4.9.2 is an older release of WordPress, the world's most popular website platform. Released in January 2018, it powered millions of websites at the time. However, like all software, WordPress receives security updates to patch newly discovered vulnerabilities. Version 4.9.2 is now several years old and no longer receives official security patches from WordPress.org.
Running outdated WordPress versions is like leaving your front door unlocked. Hackers actively exploit known vulnerabilities in older versions because they know many site owners haven't updated. The 22 vulnerabilities in WordPress 4.9.2—including critical flaws in file handling and authentication—make this version particularly dangerous for any site still in use.
22 CVEs found. The most critical are explained below.
The AI ChatBot plugin has a serious flaw that lets people with basic user accounts delete important files from your website server. This is like giving someone a key to delete critical documents in your office.
Impact: An attacker could delete essential website files, causing your site to go down completely or allowing them to take full control of your WordPress installation.
↗ View on NVDThe AI ChatBot plugin allows basic users to sneak malicious code into your website files through a file upload feature. It's like someone finding a back door to your house and leaving traps inside.
Impact: Your website could crash, become slow, or be used to attack visitors and spread malware.
↗ View on NVDWordPress doesn't properly check if uploaded plugin files are legitimate, allowing administrators to accidentally upload dangerous files. This is like a security guard not checking if a package contains what it claims.
Impact: Your site could be compromised if you or someone with admin access unknowingly uploads a malicious file disguised as a plugin.
↗ View on NVDAnyone on the internet can repeatedly request large numbers of JavaScript files from your WordPress site without logging in, using up your server resources. It's like thousands of people flooding your store at once.
Impact: Your website becomes very slow or completely unavailable, hurting your business and visitor experience.
↗ View on NVDThe WP BASE Booking plugin doesn't properly check user permissions when exporting data, allowing basic users to access sensitive information. Like a receptionist having access to your financial records.
Impact: Private booking information, customer data, or business details could be viewed or downloaded by unauthorized users.
↗ View on NVDWordPress's built-in video player has a flaw that allows attackers to inject harmful code through specially crafted requests. This affects how videos are displayed on your site.
Impact: Visitors' browsers could be exploited, potentially stealing their personal information or redirecting them to malicious sites.
↗ View on NVDShowing first 10 of 16. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2018-16285 | MEDIUM | 6.1 | 2018-09-06 | The UserPro plugin through 4.9.23 for WordPress allows XSS via the shortcode parameter in a userpro_shortcode_template action to wp-admin/admin-ajax.php. |
| CVE-2023-1978 | MEDIUM | 6.1 | 2023-06-09 | The ShiftController Employee Shift Scheduling plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the query string in versions up to, and including, 4.9.25 du… |
| CVE-2025-5807 | MEDIUM | 6.1 | 2025-07-10 | The Gwolle Guestbook plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘gwolle_gb_content’ parameter in all versions up to, and including, 4.9.2 due to ins… |
| CVE-2025-58674 | MEDIUM | 5.9 | 2025-09-23 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the iss… |
| CVE-2023-5533 | MEDIUM | 5.3 | 2023-10-20 | The AI ChatBot plugin for WordPress is vulnerable to unauthorized use of AJAX actions due to missing capability checks on the corresponding functions in versions up to, and includ… |
| CVE-2025-10637 | MEDIUM | 5.3 | 2025-10-25 | The Social Feed Gallery plugin for WordPress is vulnerable to Information Exposure in versions less than, or equal to, 4.9.2. This is due to the plugin not properly verifying that… |
| CVE-2025-14442 | MEDIUM | 5.3 | 2025-12-12 | The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to sensitive information exposure due to storage of exported CSV files in a publicly acce… |
| CVE-2024-32111 | MEDIUM | 5.0 | 2024-06-25 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Automattic WordPress allows Relative Path Traversal.This issue affects WordPress: f… |
| CVE-2025-1453 | MEDIUM | 4.8 | 2025-04-24 | The Category Posts Widget WordPress plugin before 4.9.20 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored … |
| CVE-2023-39999 | MEDIUM | 4.3 | 2023-10-13 | Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 thr… |
| CVE-2023-5534 | MEDIUM | 4.3 | 2023-10-20 | The AI ChatBot plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.8.9 and 4.9.2. This is due to missing or incorrect nonce valida… |
| CVE-2023-6897 | MEDIUM | 4.3 | 2024-04-18 | The EAN for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.9.2 via the the 'alg_wc_ean_product_meta' sh… |
| CVE-2025-58246 | MEDIUM | 4.3 | 2025-09-23 | Insertion of Sensitive Information Into Sent Data vulnerability in WordPress allows Retrieve Embedded Sensitive Data. The WordPress Core security team is aware of the issue and is… |
| CVE-2025-14159 | MEDIUM | 4.3 | 2025-12-12 | The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.9.2. This is due to… |
| CVE-2025-13741 | MEDIUM | 4.3 | 2025-12-16 | The Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories plugin for WordPress is vulnerable to unauthorized access of data du… |
| CVE-2025-14384 | MEDIUM | 4.3 | 2026-01-16 | The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability che… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 4.9.2 is no longer safe to use in 2024. With 22 known vulnerabilities—including two critical exploits that allow file deletion and unauthorized access—staying on this version invites disaster. The good news is that updating to the latest WordPress version takes just minutes and immediately patches the majority of these threats.
Don't wait for a breach to happen. Use SiteRecipe.com's vulnerability scanner to identify all security risks on your website, get step-by-step remediation guides, and monitor for new threats continuously. Our platform makes WordPress security simple, even for non-technical site owners. Scan your site today and sleep better knowing you're protected.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.