    Home /
    Blog /
    wordpress 4.9.5
  

Security Advisory

WordPress 4.9.5: 5 Critical Security Vulnerabilities Explained

    📅 June 07, 2026
    ·⏱ 5 min read
    ·🔒 SiteRecipe Security Team
  

⚠ 177 websites still running wordpress 4.9.5 → View full list

Total

Critical

Medium

WordPress 4.9.5, released in April 2018, powers thousands of websites worldwide but contains significant security vulnerabilities that put your site at risk. With 1 critical and 4 medium-severity CVEs identified, site owners using this outdated version face potential file uploads, XSS attacks, and unauthorized data modifications. This comprehensive guide will help you understand these vulnerabilities, identify if your site is affected, and implement immediate security fixes.

Security threats evolve constantly, and WordPress 4.9.5 lacks protections against modern attack vectors. Whether you're running an e-commerce store with WooCommerce plugins or managing user access through WordPress login systems, these vulnerabilities could compromise your entire website. Let's explore each threat and show you exactly how to protect your business.

What is Wordpress 4.9.5?

WordPress 4.9.5 is an older version of WordPress released in April 2018. WordPress is the world's most popular website builder, powering over 43% of all websites on the internet. It's a free, open-source platform that lets anyone create blogs, e-commerce stores, and professional websites without coding knowledge. Think of it as a digital storefront builder that handles everything from content management to user accounts.

As a website owner, your WordPress version is crucial because outdated versions lack security patches that protect against hackers and malicious attacks. WordPress 4.9.5 was released over six years ago, meaning it predates many modern security threats. Every day, cybercriminals discover new ways to exploit old software, and websites stuck on ancient versions become easy targets. Upgrading to the latest WordPress version is like replacing old locks on your house with modern security systems.

Key Vulnerabilities in Wordpress 4.9.5

5 CVEs found. The most critical are explained below.

CRITICAL CVE-2025-10412 9.8/10 · CVSS v3.1 ⏱ Immediate

WooCommerce Plugin Allows Hackers to Upload Dangerous Files

A popular WooCommerce plugin (Uni CPO) has a security flaw that lets attackers upload files to your server without proper checks. This happens in the file upload feature that doesn't properly validate what type of files are being uploaded.

Impact: Attackers could upload malicious files like viruses or backdoors to take control of your entire website and steal customer data or inject malware into visitor browsers.

↗ View on NVD

MEDIUM CVE-2018-10100 6.1/10 · CVSS v3.0 ⏱ Within 7 days

WordPress 4.9.5 and earlier don't properly verify where the login page redirects users after they log in. An attacker could redirect users to a fake site to steal their credentials.

Impact: Hackers could trick users into entering passwords on malicious websites by exploiting the redirect vulnerability, compromising account security.

↗ View on NVD

MEDIUM CVE-2018-10101 6.1/10 · CVSS v3.0 ⏱ Within 7 days

Localhost URL Validation Bypass

WordPress 4.9.5 and earlier incorrectly trust URLs containing 'localhost' as being safe internal links. An attacker could exploit this to perform unauthorized actions.

Impact: Attackers could bypass security checks and access internal WordPress functions or sensitive data that should be restricted.

↗ View on NVD

MEDIUM CVE-2018-10102 6.1/10 · CVSS v3.0 ⏱ Within 30 days

Version Information Not Properly Protected

WordPress 4.9.5 and earlier expose the WordPress version number in a way that isn't properly escaped, allowing attackers to inject malicious code through this field.

Impact: Hackers could inject malicious scripts that execute when visitors view your site, potentially stealing data or redirecting them to malicious sites.

↗ View on NVD

MEDIUM CVE-2024-6465 4.3/10 · CVSS v3.1 ⏱ Within 7 days

WP Links Plugin Allows Unauthorized Data Changes

The WP Links Page plugin (version 4.9.5 and earlier) doesn't properly check permissions before allowing users to modify content. Even basic subscriber accounts could change website data they shouldn't access.

Impact: Low-level user accounts could alter important website information, links, or screenshots without authorization, damaging your site's integrity and reputation.

↗ View on NVD

Is your website running Wordpress 4.9.5?

Scan your site in 30 seconds. Used by 500+ web agencies.

Scan my website — free 📋 See all 177 affected sites

How to Check If Your Website Is Affected

1 Log into your WordPress admin dashboard and look at the bottom right corner where it displays your WordPress version number
2 If you see version 4.9.5 or any number between 4.0 and 4.9.5, your site is vulnerable to these critical CVEs
3 Check your installed plugins (Plugins > Installed Plugins) and note if you have 'Product Options and Price Calculation Formulas for WooCommerce' or 'WP Links Page' plugins active

How to Fix These Vulnerabilities

1 Back up your entire website first by using a backup plugin like UpdraftPlus or requesting a backup from your hosting provider
2 Update WordPress to version 6.4 or later by going to Dashboard > Updates and clicking the 'Update Now' button
3 Update all your plugins to their latest versions, particularly WooCommerce-related plugins and any security-critical extensions
4 Run a security scan using Wordfence or similar security plugins to ensure no malware was installed while your site was vulnerable

Conclusion

WordPress 4.9.5 represents a significant security liability in today's threat landscape. The combination of file upload vulnerabilities, XSS exploitation potential, and unauthorized access risks means your website, customer data, and business reputation are in genuine danger. These aren't theoretical threats—they're active vulnerabilities that hackers actively exploit against outdated WordPress installations every single day.

Don't leave your digital assets unprotected. Use SiteRecipe.com's comprehensive security scanning tools to identify vulnerabilities across your entire WordPress installation, receive step-by-step remediation guidance, and maintain continuous monitoring to ensure your site stays secure. Our platform provides instant vulnerability alerts, plugin security analysis, and automated update recommendations so you can focus on growing your business while we handle your security. Visit SiteRecipe.com today and get your free security audit—because protecting your website is too important to leave to chance.

Frequently Asked Questions

How serious is the critical CVE-2025-10412 vulnerability?

CVE-2025-10412 is classified as CRITICAL because it allows attackers to upload arbitrary files to your server without proper validation. This means hackers could upload malware, backdoors, or malicious scripts that give them complete control of your website. If you use the Uni CPO WooCommerce plugin, this vulnerability could expose your entire e-commerce operation to theft and fraud.

Can I stay on WordPress 4.9.5 if I disable vulnerable plugins?

No, it's not safe enough. While disabling specific vulnerable plugins helps, WordPress 4.9.5 itself contains multiple medium-severity vulnerabilities including login page redirection flaws, XSS attacks through generator tags, and localhost URL validation issues. You need to upgrade the core WordPress version to receive all security patches and protections against newer threats that didn't exist in 2018.

Will updating WordPress break my website or plugins?

Modern WordPress updates are designed to be backwards-compatible with properly coded plugins and themes. Before updating, always create a backup (which takes 5 minutes) so you can restore your site if any issues occur. Most reputable plugins automatically update alongside WordPress. After updating, test your site's main functions like checkout, forms, and user registration to ensure everything works correctly.

How many websites are still vulnerable with version 4.9.5?

Approximately 177 websites are still running WordPress 4.9.5 according to current vulnerability databases. While this might seem small, each of these sites is actively exposed to attackers who scan the internet specifically for outdated WordPress installations. Your site could be identified and exploited within days of a security scan by malicious actors.

What's the easiest way to monitor for future vulnerabilities?

Use security monitoring services like SiteRecipe.com that continuously scan your WordPress installation, plugins, and themes for known vulnerabilities. These services automatically alert you when new CVEs are discovered that affect your specific setup, so you can patch before attackers exploit them. This is far easier than manually checking security bulletins every week.

Generate white-label reports for your clients

Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.

Free scan Agency plans 📋 177 affected sites

DISCLAIMER: This report is based on publicly available CVE data from the National Vulnerability Database (NVD) maintained by NIST. Detection of a technology version does not confirm active exploitation on any specific website. For informational purposes only. SiteRecipe is not responsible for actions taken based on this report. Always consult a qualified security professional.

Source: nvd.nist.gov · Published: June 07, 2026 · SiteRecipe.com