    Home /
    Blog /
    wordpress 4.9.9
  

Security Advisory

WordPress 4.9.9 Security: 18 CVEs Explained & Fixed

    📅 June 07, 2026
    ·⏱ 5 min read
    ·🔒 SiteRecipe Security Team
  

⚠ 229 websites still running wordpress 4.9.9 → View full list

Total

Critical

High

Medium

WordPress 4.9.9 is an older version that contains 18 known security vulnerabilities, including 2 critical flaws that could allow attackers to execute code on your website or steal sensitive data. If your site still runs this version, you're at serious risk of compromise. Even though 229 websites still use this outdated version, the threats are real and actively exploited by cybercriminals.

In this guide, we'll explain what these vulnerabilities are, how to check if your site is affected, and the exact steps to secure your WordPress installation. Whether you're a small business owner or run a larger operation, protecting your site from these known attacks should be your top priority.

What is Wordpress 4.9.9?

WordPress 4.9.9 is an older release of WordPress, the world's most popular website platform used by over 43% of all websites. This version was released in 2019 and marked a transition point before WordPress 5.0 introduced the new block editor. Many website owners continue using older WordPress versions because they're familiar with them or hesitant to update, not realizing they're leaving their sites vulnerable to known attacks.

Think of WordPress 4.9.9 like an older building with faulty locks and security systems. While it may still function, the security gaps have been documented and publicized. Hackers actively scan the internet for websites running outdated WordPress versions because they know exactly how to break in. The 18 vulnerabilities in this version range from allowing attackers to inject malicious code to stealing user information and taking over administrator accounts.

Key Vulnerabilities in Wordpress 4.9.9

18 CVEs found. The most critical are explained below.

CRITICAL CVE-2018-20148 9.8/10 · CVSS v3.0 ⏱ Immediate

Hackers can inject malicious code through media uploads

Attackers can craft special files that trick WordPress into executing harmful code when you upload media like images. This happens through a technical loophole in how WordPress processes file metadata.

Impact: A hacker could gain complete control of your website, steal data, or modify your content without your permission.

↗ View on NVD

CRITICAL CVE-2024-2472 9.1/10 · CVSS v3.1 ⏱ Immediate

LatePoint plugin allows unauthorized access to customer data

If you use the LatePoint scheduling plugin, attackers can bypass security checks to access and modify customer information without logging in. This is a missing security gate in the plugin code.

Impact: Customer data could be stolen, deleted, or modified. Your business could lose customer trust and face legal liability.

↗ View on NVD

HIGH CVE-2019-8942 8.8/10 · CVSS v3.0 ⏱ Immediate

Staff can upload infected images to take over your website

An author or editor on your team could upload a specially crafted image file that actually contains executable code. WordPress would then run this code, giving attackers full access.

Impact: Your website could be completely compromised, ransomware could be installed, or sensitive business data could be stolen.

↗ View on NVD

HIGH CVE-2024-8247 8.8/10 · CVSS v3.1 ⏱ Immediate

Newsletters plugin allows privilege escalation attacks

The Newsletters plugin has a flaw where basic users can change settings they shouldn't have access to, potentially gaining administrator-level powers.

Impact: Lower-level accounts could escalate to admin access and take complete control of your website and all its data.

↗ View on NVD

HIGH CVE-2018-20151 7.5/10 · CVSS v3.0 ⏱ Within 7 days

User activation page may expose email addresses to search engines

Under certain uncommon configurations, the page where users activate their accounts could be indexed by Google or other search engines, publicly displaying email addresses.

Impact: Your users' email addresses could be publicly searchable, leading to spam, phishing attempts, or privacy violations.

↗ View on NVD

HIGH CVE-2025-2009 7.2/10 · CVSS v3.1 ⏱ Immediate

Newsletters plugin allows injection of malicious scripts

The Newsletters plugin doesn't properly filter user input in its logging system, allowing attackers to insert malicious code that runs in visitors' browsers.

Impact: Visitor information could be stolen, malware could be distributed, or your site's reputation could be damaged.

↗ View on NVD

Additional Vulnerabilities (12 more)

Showing first 10 of 12. View all on NVD ↗

CVE ID	Severity	Score	Published	Description
CVE-2025-4857	HIGH	7.2	2025-05-31	The Newsletters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.9.9.9 via the 'file' parameter. This makes it possible for authe…
CVE-2018-20147	MEDIUM	6.5	2018-12-14	In WordPress before 4.9.9 and 5.x before 5.0.1, authors could modify metadata to bypass intended restrictions on deleting files.
CVE-2018-20152	MEDIUM	6.5	2018-12-14	In WordPress before 4.9.9 and 5.x before 5.0.1, authors could bypass intended restrictions on post types via crafted input.
CVE-2025-3107	MEDIUM	6.5	2025-05-13	The Newsletters plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby' parameter in all versions up to, and including, 4.9.9.8 due to insufficient escapi…
CVE-2024-10181	MEDIUM	6.4	2024-10-29	The Newsletters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's newsletters_video shortcode in all versions up to, and including, 4.9.9.4 due to…
CVE-2018-20150	MEDIUM	6.1	2018-12-14	In WordPress before 4.9.9 and 5.x before 5.0.1, crafted URLs could trigger XSS for certain use cases involving plugins.
CVE-2024-8850	MEDIUM	6.1	2024-09-19	The MC4WP: Mailchimp for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'email' parameter when a placeholder such as {email} is used for th…
CVE-2024-13739	MEDIUM	6.1	2025-03-22	The Newsletters plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the "to" parameter in all versions up to, and including, 4.9.9.7 due to insufficient input…
CVE-2018-20149	MEDIUM	5.4	2018-12-14	In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS…
CVE-2018-20153	MEDIUM	5.4	2018-12-14	In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could modify new comments made by users with greater privileges, possibly causing XSS.
CVE-2024-0855	MEDIUM	5.3	2024-02-27	The Spiffy Calendar WordPress plugin before 4.9.9 doesn't check the event_author parameter, and allows any user to alter it when creating an event, leading to deceiving users/admi…
CVE-2024-7411	MEDIUM	5.3	2024-08-15	The Newsletters plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 4.9.9. This is due the plugin not preventing direct access to the …

          Full Report Available
        

All 18 CVEs with AI explanations + fix guide

Plain English · Fix recommendations · Instant PDF & HTML download

⬇ Get Full Report

          PDF + HTML · Instant download
        

Is your website running Wordpress 4.9.9?

Scan your site in 30 seconds. Used by 500+ web agencies.

Scan my website — free 📋 See all 229 affected sites

How to Check If Your Website Is Affected

1 Log in to your WordPress admin dashboard and look in the bottom right corner of any page for your WordPress version number
2 Alternatively, check your site's source code by right-clicking on your website and selecting 'View Page Source,' then searching for 'wp-content' in the URL structure
3 Use a free WordPress security scanner like WPScan or SecurityHeader.com to automatically detect your version and flag vulnerabilities

How to Fix These Vulnerabilities

1 Back up your entire website immediately using a plugin like UpdraftPlus or contact your hosting provider to create a complete backup before making changes
2 Update to the latest WordPress version by going to Dashboard > Updates and clicking 'Update Now' (your backup ensures you can revert if needed)
3 Update all plugins and themes to their latest versions, as outdated plugins compound your security risks and may not be compatible with newer WordPress releases
4 Run a security scan using Wordfence or similar plugin to detect any malware or exploited vulnerabilities, then remove any threats detected

Conclusion

WordPress 4.9.9 contains serious security vulnerabilities that expose your site to hackers, data theft, and malware infections. The two critical CVEs alone could allow attackers to execute arbitrary code on your server or bypass access controls entirely. Updating to the latest WordPress version and keeping all plugins current is the most effective way to close these security gaps and protect your business.

Don't wait for a breach to happen. Use SiteRecipe.com's automated security monitoring to scan your WordPress site for known vulnerabilities, receive alerts about outdated software, and get step-by-step guidance on fixing security issues. Our platform makes it simple to stay secure without technical expertise. Start your free security audit at SiteRecipe.com today and get peace of mind knowing your site is protected.

Frequently Asked Questions

Will updating WordPress 4.9.9 break my website?

Most WordPress updates are backward compatible and won't break your site, especially if your plugins and themes are regularly maintained. However, extremely old plugins may have compatibility issues. This is why creating a backup before updating is crucial—if any problems occur, you can revert to your previous version while you troubleshoot.

What's the difference between Critical and High severity CVEs?

Critical vulnerabilities can be exploited without any user action and allow complete system compromise, like remote code execution. High severity CVEs still pose serious risks but may require specific conditions or user interaction to exploit. Both require immediate attention, but critical vulnerabilities should be patched first.

How often do I need to update WordPress to stay secure?

WordPress releases security updates frequently—sometimes within weeks of discovering vulnerabilities. Set your site to automatic updates in Dashboard > Updates, or manually check for updates at least monthly. This ensures you're always protected against newly discovered threats without requiring much effort on your part.

Are there any WordPress versions I should avoid?

Yes, any WordPress version older than two major releases (currently before 6.0) is considered outdated and unsupported. Version 4.9.9 specifically reached end-of-life years ago, meaning it receives no security updates anymore. Always use a version that's actively supported by the WordPress team.

Can hackers really exploit these CVEs on my WordPress 4.9.9 site?

Absolutely. These CVEs are publicly documented, which means hackers have working exploits and regularly scan the internet for vulnerable sites. Bots specifically look for outdated WordPress versions and attempt exploitation automatically. Running 4.9.9 means your site is actively being targeted by automated attacks.

Generate white-label reports for your clients

Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.

Free scan Agency plans 📋 229 affected sites

DISCLAIMER: This report is based on publicly available CVE data from the National Vulnerability Database (NVD) maintained by NIST. Detection of a technology version does not confirm active exploitation on any specific website. For informational purposes only. SiteRecipe is not responsible for actions taken based on this report. Always consult a qualified security professional.

Source: nvd.nist.gov · Published: June 07, 2026 · SiteRecipe.com