    Home /
    Blog /
    wordpress 4.9.6
  

Security Advisory

WordPress 4.9.6 Security: 6 CVEs Found & How to Fix

    📅 June 07, 2026
    ·⏱ 5 min read
    ·🔒 SiteRecipe Security Team
  

⚠ 267 websites still running wordpress 4.9.6 → View full list

Total

High

Medium

WordPress 4.9.6 is an older version still used by 267 websites worldwide, but it contains critical security vulnerabilities that put your site at serious risk. Our security analysis discovered 6 CVEs affecting this version, with one HIGH severity vulnerability that could allow attackers to execute arbitrary code and delete essential files. If your website is running this outdated version, you need to take action immediately to protect your data, visitors, and business reputation.

This comprehensive guide will walk you through identifying if your site uses WordPress 4.9.6, understanding the specific threats you face, and implementing the necessary security fixes. Whether you manage one site or multiple properties, understanding these vulnerabilities is the first step toward protecting your digital assets.

What is Wordpress 4.9.6?

WordPress 4.9.6 was released in July 2018 and represents an older version of the world's most popular website platform. While it may still be functional for basic website needs, security vulnerabilities discovered since its release have made it increasingly dangerous to operate. Think of it like driving a car from 2018 without any safety updates—it might still run, but it's missing critical safety features that protect you from modern threats.

Website owners sometimes avoid upgrading because they worry about breaking plugins, themes, or custom code. However, staying on WordPress 4.9.6 is like leaving your front door unlocked to avoid changing your keys. The security risks far outweigh any temporary compatibility concerns. Modern WordPress versions include patches for thousands of discovered vulnerabilities, and updating is the single most important step you can take to protect your website.

Key Vulnerabilities in Wordpress 4.9.6

6 CVEs found. The most critical are explained below.

HIGH CVE-2018-12895 8.8/10 · CVSS v3.1 ⏱ Immediate

Author Users Can Delete Critical Website Files

A security weakness allows users with Author-level access to delete your site's most important configuration file (wp-config.php) by exploiting a file handling feature. This happens because WordPress doesn't properly validate which files these users can interact with.

Impact: If exploited, your entire website could become non-functional or completely compromised, as the deleted file contains your database credentials and security keys.

↗ View on NVD

MEDIUM CVE-2025-10175 6.5/10 · CVSS v3.1 ⏱ Within 7 days

WP Links Page Plugin Database Injection Vulnerability

The WP Links Page plugin has a weakness that allows authenticated attackers to manipulate database queries through unsanitized input. This occurs because the plugin doesn't properly filter user-supplied data before using it in database commands.

Impact: Attackers could view, modify, or delete your website's data without authorization, potentially exposing sensitive information or corrupting your content.

↗ View on NVD

MEDIUM CVE-2025-3527 6.4/10 · CVSS v3.1 ⏱ Within 7 days

EventON Pro Plugin Missing Permission Check

The EventON Pro plugin fails to verify user permissions before allowing data modifications. This means users with minimal access (Subscriber level) can make changes they shouldn't be allowed to make.

Impact: Low-level users could modify event settings, pricing, or other important data without proper authorization, causing operational disruptions.

↗ View on NVD

MEDIUM CVE-2024-9435 6.1/10 · CVSS v3.1 ⏱ Within 7 days

ShiftController Plugin Allows Malicious Code Injection

The ShiftController Employee Shift Scheduling plugin doesn't properly clean up information from website URLs before displaying it. Attackers can embed malicious code in links that executes when employees visit them.

Impact: Employees clicking malicious links could have their session hijacked, passwords stolen, or malware installed on their computers.

↗ View on NVD

MEDIUM CVE-2025-13391 5.8/10 · CVSS v3.1 ⏱ Within 7 days

Uni CPO Plugin Allows Unauthorized File Deletion

The Uni CPO WooCommerce plugin doesn't check user permissions before allowing file deletion. Any user, even those with minimal access, could delete important files from your website.

Impact: Product information, pricing data, or other critical files could be deleted without authorization, disrupting your online store operations.

↗ View on NVD

MEDIUM CVE-2023-5606 4.4/10 · CVSS v3.1 ⏱ Within 30 days

ChatBot Plugin Stores Malicious Code in FAQ Section

The ChatBot plugin for WordPress doesn't properly validate input in the FAQ Builder feature. Administrators could accidentally or maliciously insert harmful code that gets permanently stored and displayed to all visitors.

Impact: Visitors to your site could have their information stolen, browsers compromised, or be redirected to malicious websites without their knowledge.

↗ View on NVD

Is your website running Wordpress 4.9.6?

Scan your site in 30 seconds. Used by 500+ web agencies.

Scan my website — free 📋 See all 267 affected sites

How to Check If Your Website Is Affected

1 Log in to your WordPress admin dashboard and look for the WordPress version number in the bottom right corner of the screen, or scroll to the bottom of the page where it displays your WordPress version.
2 Alternatively, add /wp-admin/about.php to your website URL to access the WordPress About page, which clearly displays your current version number.
3 If you don't have direct admin access, contact your web hosting provider or website developer who can verify your WordPress version through your hosting control panel or via FTP/SSH access.

How to Fix These Vulnerabilities

1 Backup your entire website immediately, including all files and database content. Use your hosting provider's backup tool or a WordPress backup plugin like UpdraftPlus to create a complete safety copy.
2 Update all plugins and themes to their latest versions before upgrading WordPress, as older plugins may not be compatible with newer WordPress versions. Deactivate any plugins you no longer use.
3 Upgrade WordPress from 4.9.6 to the latest stable version by navigating to Dashboard > Updates and clicking 'Update Now'. WordPress will typically handle this automatically, but monitor the process to ensure no errors occur.
4 After upgrading, test your website thoroughly by visiting different pages, testing forms, logging in, and checking that all plugins and themes function correctly. If issues arise, restore from your backup and troubleshoot carefully.

Conclusion

WordPress 4.9.6 poses significant security risks that could result in data theft, website defacement, malware infection, or complete loss of functionality. The HIGH severity vulnerability allowing code execution (CVE-2018-12895) alone is reason enough to upgrade immediately. By following this guide and updating your WordPress installation, you eliminate the majority of known threats and protect your business from costly security incidents.

Don't wait until your site is compromised. Visit SiteRecipe.com today to scan your website for outdated software, security vulnerabilities, and potential threats. Our comprehensive security audit will identify exactly what needs attention and provide step-by-step guidance to fix every issue. Protect your website, your visitors, and your business reputation—get your free security scan from SiteRecipe.com now.

Frequently Asked Questions

What does HIGH severity mean for CVE-2018-12895?

HIGH severity means this vulnerability poses a serious threat to your website's security. CVE-2018-12895 allows authenticated attackers to execute arbitrary code and delete critical files like wp-config.php, potentially taking your entire site offline. This is one of the most dangerous types of vulnerabilities possible.

Will upgrading WordPress break my plugins and themes?

While compatibility issues can occasionally occur, most reputable plugins and themes are designed to work with modern WordPress versions. Updating your plugins before upgrading WordPress significantly reduces compatibility risks. Even if minor issues appear, they're far less damaging than a security breach.

Can I skip updates and just use security plugins instead?

Security plugins provide additional protection but cannot replace core WordPress updates. Think of it like adding locks to your doors—security plugins help, but you still need to fix structural damage to your home. Always update WordPress itself while also using security plugins for comprehensive protection.

How long will it take to upgrade WordPress 4.9.6?

The actual upgrade process typically takes 5-15 minutes depending on your website size and complexity. However, you should budget 1-2 hours total for backing up your site, updating plugins, performing the upgrade, and thoroughly testing everything afterward.

What if my hosting provider doesn't support newer WordPress versions?

This is extremely rare with modern hosting providers. WordPress 5.0+ works with PHP 5.6.20+, which virtually all hosting companies support. Contact your host's support team if you encounter this issue—they can usually resolve it quickly by updating your server environment.

Generate white-label reports for your clients

Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.

Free scan Agency plans 📋 267 affected sites

DISCLAIMER: This report is based on publicly available CVE data from the National Vulnerability Database (NVD) maintained by NIST. Detection of a technology version does not confirm active exploitation on any specific website. For informational purposes only. SiteRecipe is not responsible for actions taken based on this report. Always consult a qualified security professional.

Source: nvd.nist.gov · Published: June 07, 2026 · SiteRecipe.com