WordPress 4.9.8, released in September 2018, contains two high-severity security vulnerabilities that put over 1,200 websites at serious risk. These CVEs can lead to remote code execution and cross-site scripting attacks, allowing hackers to take complete control of your website or steal sensitive user data. If your site is still running this outdated version, it's critical to take action immediately to protect your business and users.
In this comprehensive guide, we'll explain what these vulnerabilities are, how to identify if your site is affected, and walk you through the step-by-step process of securing your WordPress installation. Whether you're a small business owner or a website administrator, understanding these security risks is essential to protecting your digital assets.
What is Wordpress 4.9.8?
WordPress 4.9.8 is an older version of WordPress, the world's most popular website platform, used by over 40% of all websites on the internet. Released in 2018, this version includes basic content management features that allow users to create and publish posts, manage pages, and handle media files. For years, WordPress 4.9.8 was considered a stable release, but security researchers have since discovered critical flaws that were overlooked during initial development.
Think of WordPress like a storefront for your website—it's the framework that holds everything together. When vulnerabilities are discovered in older versions like 4.9.8, it's similar to finding that your storefront has weak locks and broken doors. Hackers know exactly where these vulnerabilities are and actively search for websites running outdated WordPress versions to exploit them for profit.
Key Vulnerabilities in Wordpress 4.9.8
2 CVEs found. The most critical are explained below.
WordPress 4.9.8 has a weakness in how it processes images when you upload them. A hacker with login access could exploit this to run malicious code on your website.
Impact: An attacker could take complete control of your website, steal data, or use it to attack your visitors.
The Secure Copy Content Protection plugin doesn't properly filter malicious code injected through certain web requests. An attacker doesn't need login access to exploit this.
Impact: Hackers could inject malicious scripts that steal visitor information, redirect users to phishing sites, or deface your website content.
1Log in to your WordPress admin dashboard and scroll to the bottom right corner where you'll see your current WordPress version number displayed
2If you see version 4.9.8 or earlier, your site is affected by at least one of these critical vulnerabilities
3Check your installed plugins, particularly the Secure Copy Content Protection plugin, as one CVE specifically targets this plugin in versions 4.9.8 and below
How to Fix These Vulnerabilities
1Back up your entire WordPress site first—use your hosting provider's backup tool or a plugin like UpdraftPlus to save your database and files
2Update WordPress to the latest version by going to Dashboard > Updates and clicking 'Update Now' for WordPress core
3Update all your plugins and themes, especially the Secure Copy Content Protection plugin, as this is specifically mentioned in one of the CVEs
4After updating, test your website thoroughly by visiting key pages, checking forms, and verifying that content displays correctly
Conclusion
WordPress 4.9.8 contains two high-severity vulnerabilities (CVE-2018-1000773 and CVE-2026-1320) that expose your website to remote code execution and cross-site scripting attacks. These aren't theoretical risks—hackers are actively scanning for outdated WordPress installations to exploit. By following the steps in this guide, you can quickly update your site and eliminate these security threats in under 30 minutes.
Don't leave your website vulnerable to attacks. Use SiteRecipe.com to continuously monitor your WordPress security, receive instant alerts about CVEs affecting your site, and get automated recommendations for fixes. Our platform scans your website for security vulnerabilities and provides step-by-step remediation guides tailored to your specific setup. Start your free security assessment today and protect your website from cyber threats.
Frequently Asked Questions
What does CVE-2018-1000773 do to my WordPress site?
This vulnerability exploits WordPress's thumbnail processing feature to allow attackers to execute arbitrary code on your server. This means hackers can take complete control of your website, steal data, inject malware, or use your site to attack other websites. It's a critical security flaw because it bypasses WordPress security measures.
Am I still at risk if I'm not using the Secure Copy Content Protection plugin?
Yes, you're still at risk from CVE-2018-1000773, which affects WordPress core itself and doesn't require any specific plugin. Additionally, there may be other plugins you're using that have their own vulnerabilities. This is why updating WordPress immediately is essential for all users on version 4.9.8.
Will updating WordPress break my website or cause data loss?
No, WordPress updates are designed to be backward-compatible. That's why creating a backup first is so important—it gives you peace of mind. In rare cases where a plugin isn't compatible with the new version, you'll see a warning before updating, allowing you to address it first.
How long will WordPress 4.9.8 continue to receive security patches?
WordPress 4.9.8 is no longer supported and hasn't received security updates since 2019. This means any new vulnerabilities discovered will never be patched for this version. You must upgrade to a current version to receive ongoing security support and updates.
What's the difference between updating WordPress automatically versus manually?
WordPress 4.9.8 and later versions support automatic updates in the background. Manual updates give you more control and let you backup first, which is the safer approach. We recommend the manual method to ensure you have a complete backup before any changes are made.
Generate white-label reports for your clients
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.
DISCLAIMER: This report is based on publicly available CVE data from the National Vulnerability
Database (NVD) maintained by NIST. Detection of a technology version does not confirm active
exploitation on any specific website. For informational purposes only.
SiteRecipe is not responsible for actions taken based on this report.
Always consult a qualified security professional.