WordPress 4.9.3 is outdated and poses significant security risks to your website. Our analysis has identified 12 critical vulnerabilities in this version, including 1 critical-level flaw and 6 high-severity issues that could allow attackers to delete files, bypass authentication, and execute arbitrary commands on your server. If you're still running WordPress 4.9.3, your website is at serious risk of compromise.
Approximately 486 websites are currently using this vulnerable version, making them targets for automated attacks. These vulnerabilities affect popular plugins like AI ChatBot, Slimstat Analytics, WP All Import Pro, and WooCommerce PDF Vouchers. In this guide, we'll explain each vulnerability, show you how to check if you're affected, and provide step-by-step instructions to secure your site.
WordPress 4.9.3 is an older version of WordPress, the world's most popular website platform. Released several years ago, this version powered millions of websites and is still used by some site owners today. However, technology evolves rapidly, and WordPress releases updates frequently to patch security holes, improve performance, and add new features. When you don't update to newer versions, your website becomes increasingly vulnerable to attacks.
Think of WordPress 4.9.3 like an older lock on your front door—it might have worked fine when it was installed, but security experts have since discovered ways to break it. Hackers actively search the internet for websites using outdated software because they know exactly which vulnerabilities to exploit. Staying on WordPress 4.9.3 is like leaving your digital front door ajar, inviting attackers to steal your data, take control of your site, or use it to attack other websites.
12 CVEs found. The most critical are explained below.
The AI ChatBot plugin has a serious flaw that lets users with basic account access delete important files from your website's server. This vulnerability exists in versions up to 4.8.9 and version 4.9.2.
Impact: An attacker could delete critical website files, making your site unusable or taking complete control of it. Your website could go offline or be replaced with malicious content.
↗ View on NVDThe Slimstat Analytics plugin before version 4.9.3.3 allows basic account users to insert harmful commands directly into your website's database through shortcodes. A shortcode is a simple text code that performs functions on your site.
Impact: Attackers could steal visitor data, modify website content, or extract sensitive information from your database without proper authorization.
↗ View on NVDWP All Import Pro versions up to 4.9.3 lack proper safeguards on a specific function, allowing administrator-level users to make unauthorized requests to other websites or servers from your server.
Impact: Your website could be used as a tool to attack other sites, access internal company systems, or be flagged as malicious by internet providers, affecting your site's reputation.
↗ View on NVDThe WP Maps plugin before version 4.9.3 doesn't properly validate file path inputs, allowing authenticated users to access files they shouldn't be able to view on your server.
Impact: Sensitive files like configuration files containing passwords or private data could be exposed and viewed by unauthorized users.
↗ View on NVDThe WooCommerce PDF Vouchers plugin versions up to 4.9.3 have a flaw in their QR code login feature that doesn't properly verify user identity, allowing anyone to log in without credentials.
Impact: Attackers could gain unauthorized access to customer accounts, steal personal information, or make fraudulent purchases without entering valid login credentials.
↗ View on NVDThe Newsletters plugin before version 4.9.3 fails to properly clean user inputs before using them in database queries and system commands, potentially allowing administrators to accidentally or maliciously run dangerous commands.
Impact: Someone with admin access could execute harmful commands on your server, completely compromising your website and server security.
↗ View on NVDShowing first 10 of 6. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2026-3718 | HIGH | 7.2 | 2026-05-14 | The ManageWP Worker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'MWP-Key-Name' HTTP request header in all versions up to, and including, 4.9.31. This… |
| CVE-2025-9128 | MEDIUM | 6.4 | 2025-09-11 | The eID Easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 4.9.3 due to insufficient input sanitiz… |
| CVE-2019-14470 | MEDIUM | 6.1 | 2019-09-04 | cosenary Instagram-PHP-API (aka Instagram PHP API V2), as used in the UserPro plugin through 4.9.32 for WordPress, has XSS via the example/success.php error_description parameter. |
| CVE-2022-4310 | MEDIUM | 6.1 | 2023-01-09 | The Slimstat Analytics WordPress plugin before 4.9.3 does not sanitise and escape the URI when logging requests, which could allow unauthenticated attackers to perform Stored Cros… |
| CVE-2025-14718 | MEDIUM | 5.4 | 2026-01-09 | The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9.3. This is due to the plugi… |
| CVE-2026-7526 | MEDIUM | 4.3 | 2026-05-28 | The PDF Embedder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.9.3 via the enqueue_block_assets. This makes it possi… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 4.9.3 is no longer safe for production websites. With 12 documented vulnerabilities—including critical flaws that allow file deletion, authentication bypass, and remote code execution—every day you delay updating puts your business at risk. The good news is that updating WordPress takes just minutes and eliminates nearly all of these security threats instantly.
Don't leave your website vulnerable. Use SiteRecipe.com's free security scanner to identify all vulnerabilities on your site, get personalized recommendations, and receive alerts when new threats are discovered. Our platform helps thousands of website owners stay secure and compliant. Start your free security scan today at SiteRecipe.com and take control of your website's security.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.