WordPress 5.0 remains one of the most vulnerable versions still in use, with 161 documented security flaws affecting 29 known websites. Among these, 15 critical vulnerabilities pose serious risks including remote code execution, SQL injection, and unauthorized admin access. If your site still runs WordPress 5.0, you're operating with significant security exposure that hackers actively exploit.
This comprehensive guide explains the major vulnerabilities in WordPress 5.0, shows you how to determine if your site is at risk, and provides clear steps to secure your installation. Whether you're a business owner or webmaster, understanding these threats is essential for protecting your website and user data.
WordPress 5.0 was released in December 2018 as a major update introducing the Gutenberg block editor. This version represented a significant shift in how content creators build pages and posts, offering more visual flexibility and control. However, this substantial code overhaul also introduced numerous security gaps that weren't immediately apparent to everyday users.
Unlike newer WordPress versions with regular security patches, WordPress 5.0 reached end-of-life years ago, meaning it no longer receives official security updates. This creates a dangerous situation where known vulnerabilities remain unpatched, making sites running this version attractive targets for cybercriminals. The 161 identified CVEs (Common Vulnerabilities and Exposures) range from password bypass flaws to complete website takeover scenarios.
161 CVEs found. The most critical are explained below.
A vulnerability in WordPress 5.0 and earlier allows attackers to inject harmful code through media file requests. This happens because WordPress doesn't properly check the data it receives when you interact with images and media files.
Impact: An attacker could take control of your website, steal data, or install malware without needing your password.
↗ View on NVDThe popular Contact Form 7 plugin has a flaw that lets users gain more permissions than they should have. Even low-level contributors could perform admin-level actions on your site.
Impact: Someone with basic website access could delete content, modify settings, or compromise your entire website.
↗ View on NVDThe Shortcodes Ultimate plugin contains a serious flaw that allows attackers to run harmful code on your website. They can exploit how the plugin processes shortcodes without proper safety checks.
Impact: Your website could be completely compromised, allowing attackers to steal all data, deface your site, or use it for attacks.
↗ View on NVDThe WP Data Access plugin doesn't properly secure search parameters, allowing attackers to inject malicious database commands. Someone could delete your entire database without authentication.
Impact: Your website's database could be deleted or corrupted, resulting in complete loss of all website data and functionality.
↗ View on NVDThe RegistrationMagic plugin's social login feature has a critical flaw where anyone can log in as any user—including administrators—if they know a valid username. No password verification is required.
Impact: Attackers could gain full administrator access to your website and complete control over all content, settings, and user data.
↗ View on NVDThe WP Search Filters widget in Plus Addons doesn't properly validate search inputs, allowing attackers to inject database commands. This lets them access or modify sensitive database information.
Impact: Attackers could steal all your website data, modify records, or delete important information from your database.
↗ View on NVDShowing first 10 of 155. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2022-0320 | CRITICAL | 9.8 | 2022-02-01 | The Essential Addons for Elementor WordPress plugin before 5.0.5 does not validate and sanitise some template data before it them in include statements, which could allow unauthen… |
| CVE-2023-6316 | CRITICAL | 9.8 | 2024-01-11 | The MW WP Form plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the '_single_file_upload' function in versions up to, and i… |
| CVE-2024-8911 | CRITICAL | 9.8 | 2024-10-08 | The LatePoint plugin for WordPress is vulnerable to Arbitrary User Password Change via SQL Injection in versions up to, and including, 5.0.11. This is due to insufficient escaping… |
| CVE-2024-8943 | CRITICAL | 9.8 | 2024-10-08 | The LatePoint plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.0.12. This is due to insufficient verification on the user being sup… |
| CVE-2019-25217 | CRITICAL | 9.8 | 2024-10-16 | The SiteGround Optimizer plugin for WordPress is vulnerable to authorization bypass leading to Remote Code Execution and Local File Inclusion in versions up to, and including, 5.0… |
| CVE-2024-13442 | CRITICAL | 9.8 | 2025-03-19 | The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.0. This is due to the plugin no… |
| CVE-2025-5746 | CRITICAL | 9.8 | 2025-07-02 | The Drag and Drop Multiple File Upload (Pro) - WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the dnd_upload_cf7_u… |
| CVE-2025-7444 | CRITICAL | 9.8 | 2025-07-18 | The LoginPress Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.0.1. This is due to insufficient verification on the user be… |
| CVE-2024-12626 | CRITICAL | 9.6 | 2024-12-19 | The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via th… |
| CVE-2019-8942 | HIGH | 8.8 | 2019-02-20 | WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending wit… |
| CVE-2019-19979 | HIGH | 8.8 | 2019-12-26 | A flaw in the WordPress plugin, WP Maintenance before 5.0.6, allowed attackers to enable a vulnerable site's maintenance mode and inject malicious code affecting site visitors. Th… |
| CVE-2022-2594 | HIGH | 8.8 | 2022-08-22 | The Advanced Custom Fields WordPress plugin before 5.12.3, Advanced Custom Fields Pro WordPress plugin before 5.12.3 allows unauthenticated users to upload files allowed in a defa… |
| CVE-2023-0768 | HIGH | 8.8 | 2023-05-08 | The Avirato hotels online booking engine WordPress plugin through 5.0.5 does not validate and escape some of its shortcode attributes before using them in SQL statement/s, which c… |
| CVE-2023-2636 | HIGH | 8.8 | 2023-07-17 | The AN_GradeBook WordPress plugin through 5.0.1 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by use… |
| CVE-2023-4598 | HIGH | 8.8 | 2023-10-20 | The Slimstat Analytics plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 5.0.9 due to insufficient escaping on the u… |
| CVE-2023-6196 | HIGH | 8.8 | 2023-11-20 | The Audio Merchant plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.0.4. This is due to missing or incorrect nonce validati… |
| CVE-2024-3238 | HIGH | 8.8 | 2024-08-02 | The WordPress Menu Plugin — Superfly Responsive Menu plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.0.29. This is due to … |
| CVE-2025-11923 | HIGH | 8.8 | 2025-11-13 | The LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes plugin for WordPress is vulnerable to privilege escalation. This is due to the plugin not properly validating a use… |
| CVE-2025-14390 | HIGH | 8.8 | 2025-12-10 | The Video Merchant plugin for WordPress is vulnerable to Cross-Site Request Forgery in version <= 5.0.4. This is due to missing or incorrect nonce validation on the video_merchant… |
| CVE-2020-11026 | HIGH | 8.7 | 2020-04-30 | In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an au… |
| CVE-2025-14124 | HIGH | 8.6 | 2026-01-05 | The Team WordPress plugin before 5.0.11 does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users… |
| CVE-2021-21389 | HIGH | 8.1 | 2021-03-26 | BuddyPress is an open source WordPress plugin to build a community site. In releases of BuddyPress from 5.0.0 before 7.2.1 it's possible for a non-privileged, regular user to obta… |
| CVE-2026-2626 | HIGH | 8.1 | 2026-03-11 | The divi-booster WordPress plugin before 5.0.2 does not have authorization and CSRF checks in one of its fixing function, allowing unauthenticated users to modify stored divi-boos… |
| CVE-2026-2592 | HIGH | 7.7 | 2026-02-17 | The Zarinpal Gateway for WooCommerce plugin for WordPress is vulnerable to Improper Access Control to Payment Status Update in all versions up to and including 5.0.16. This is due… |
| CVE-2024-31210 | HIGH | 7.6 | 2024-04-04 | WordPress is an open publishing platform for the Web. It's possible for a file of a type other than a zip file to be submitted as a new plugin by an administrative user on the Plu… |
| CVE-2018-7204 | HIGH | 7.5 | 2018-03-07 | inc/logger.php in the Giribaz File Manager plugin before 5.0.2 for WordPress logged activity related to the plugin in /wp-content/uploads/file-manager/log.txt. If a user edits the… |
| CVE-2018-20151 | HIGH | 7.5 | 2018-12-14 | In WordPress before 4.9.9 and 5.x before 5.0.1, the user-activation page could be read by a search engine's web crawler if an unusual configuration were chosen. The search engine … |
| CVE-2021-24948 | HIGH | 7.5 | 2022-01-10 | The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not validate the qvquery parameter of the tp_get_dl_post_info_ajax AJAX action, which could allow unauthenti… |
| CVE-2023-6559 | HIGH | 7.5 | 2023-12-16 | The MW WP Form plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 5.0.3. This is due to the plugin not properly validating the pat… |
| CVE-2024-2848 | HIGH | 7.5 | 2024-03-29 | The Responsive theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_footer_text_callback function in all versions u… |
| CVE-2024-13473 | HIGH | 7.5 | 2025-02-12 | The LTL Freight Quotes – Worldwide Express Edition plugin for WordPress is vulnerable to SQL Injection via the 'dropship_edit_id' and 'edit_id' parameter in all versions up to, an… |
| CVE-2025-12980 | HIGH | 7.5 | 2025-12-21 | The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on th… |
| CVE-2021-24862 | HIGH | 7.2 | 2022-01-10 | The RegistrationMagic WordPress plugin before 5.0.1.6 does not escape user input in its rm_chronos_ajax AJAX action before using it in a SQL statement when duplicating tasks in ba… |
| CVE-2022-0420 | HIGH | 7.2 | 2022-03-07 | The RegistrationMagic WordPress plugin before 5.0.2.2 does not sanitise and escape the rm_form_id parameter before using it in a SQL statement in the Automation admin dashboard, a… |
| CVE-2025-2940 | HIGH | 7.2 | 2025-06-27 | The Ninja Tables – Easy Data Table Builder plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.18 via the args[url] paramet… |
| CVE-2026-1216 | HIGH | 7.2 | 2026-02-17 | The RSS Aggregator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'template' parameter in all versions up to, and including, 5.0.10 due to insufficie… |
| CVE-2026-1273 | HIGH | 7.2 | 2026-03-04 | The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5… |
| CVE-2013-2703 | MEDIUM | 6.8 | 2013-05-05 | Cross-site request forgery (CSRF) vulnerability in the Facebook Members plugin before 5.0.5 for WordPress allows remote attackers to hijack the authentication of administrators fo… |
| CVE-2014-2598 | MEDIUM | 6.8 | 2015-01-05 | Cross-site request forgery (CSRF) vulnerability in the Quick Page/Post Redirect plugin before 5.0.5 for WordPress allows remote attackers to hijack the authentication of administr… |
| CVE-2020-4047 | MEDIUM | 6.8 | 2020-06-12 | In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way.… |
| CVE-2018-20147 | MEDIUM | 6.5 | 2018-12-14 | In WordPress before 4.9.9 and 5.x before 5.0.1, authors could modify metadata to bypass intended restrictions on deleting files. |
| CVE-2018-20152 | MEDIUM | 6.5 | 2018-12-14 | In WordPress before 4.9.9 and 5.x before 5.0.1, authors could bypass intended restrictions on post types via crafted input. |
| CVE-2019-8943 | MEDIUM | 6.5 | 2019-02-20 | WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a file… |
| CVE-2021-24993 | MEDIUM | 6.5 | 2022-02-07 | The Ultimate Product Catalog WordPress plugin before 5.0.26 does not have authorisation and CSRF checks in some AJAX actions, which could allow any authenticated users, such as su… |
| CVE-2022-1323 | MEDIUM | 6.5 | 2022-08-08 | The Discy WordPress theme before 5.0 lacks authorization checks then processing ajax requests to the discy_update_options action, allowing any logged in users (with privileges as… |
| CVE-2022-4171 | MEDIUM | 6.5 | 2022-12-13 | The demon image annotation plugin for WordPress is vulnerable to improper input validation in versions up to, and including 5.0. This is due to the plugin improperly validating th… |
| CVE-2022-4537 | MEDIUM | 6.5 | 2023-05-09 | The Hide My WP Ghost – Security Plugin plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 5.0.18. This is due to insufficient restrictions… |
| CVE-2024-5654 | MEDIUM | 6.5 | 2024-06-08 | The CF7 Google Sheets Connector plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'execute_post_data_cg7_free' funct… |
| CVE-2026-1639 | MEDIUM | 6.5 | 2026-02-18 | The Taskbuilder – WordPress Project Management & Task Management plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'order' and 'sort_by' parameters in a… |
| CVE-2026-3079 | MEDIUM | 6.5 | 2026-03-24 | The LearnDash LMS plugin for WordPress is vulnerable to blind time-based SQL Injection via the 'filters[orderby_order]' parameter in the 'learndash_propanel_template' AJAX action … |
| CVE-2025-14545 | MEDIUM | 6.5 | 2026-04-10 | The YML for Yandex Market WordPress plugin before 5.0.26 is vulnerable to Remote Code Execution via the feed generation process. |
| CVE-2026-6225 | MEDIUM | 6.5 | 2026-05-14 | The Taskbuilder – Project Management & Task Management Tool With Kanban Board plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'project_search' paramet… |
| CVE-2015-5461 | MEDIUM | 6.4 | 2015-07-08 | Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for WordPress allows remote attackers to redirect users to arbi… |
| CVE-2020-11030 | MEDIUM | 6.4 | 2020-04-30 | In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authent… |
| CVE-2021-34641 | MEDIUM | 6.4 | 2021-08-16 | The SEOPress WordPress plugin is vulnerable to Stored Cross-Site-Scripting via the processPut function found in the ~/src/Actions/Api/TitleDescriptionMeta.php file which allows au… |
| CVE-2023-1403 | MEDIUM | 6.4 | 2023-06-09 | The Weaver Xtreme Theme for WordPress is vulnerable to stored Cross-Site Scripting due to insufficient escaping of the profile display name in versions up to, and including, 5.0.7… |
| CVE-2023-4597 | MEDIUM | 6.4 | 2023-08-30 | The Slimstat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'slimstat' shortcode in versions up to, and including, 5.0.9 due to insufficient i… |
| CVE-2023-4963 | MEDIUM | 6.4 | 2023-09-15 | The WS Facebook Like Box Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'ws-facebook-likebox' shortcode in versions up to, and including, 5.0 due to … |
| CVE-2023-5233 | MEDIUM | 6.4 | 2023-09-28 | The Font Awesome Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'fawesome' shortcode in versions up to, and including, 5.0 due to insufficient i… |
| CVE-2023-6993 | MEDIUM | 6.4 | 2024-04-09 | The Custom post types, Custom Fields & more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode and custom post meta in all versions up to… |
| CVE-2024-7100 | MEDIUM | 6.4 | 2024-07-30 | The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_button shortcode in all versions up to, and including, 5.0.2 due to … |
| CVE-2024-7304 | MEDIUM | 6.4 | 2024-08-27 | The Ninja Tables – Easiest Data Table Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 5.0.12 d… |
| CVE-2024-9445 | MEDIUM | 6.4 | 2024-10-04 | The Display Medium Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's display_medium_posts shortcode in all versions up to, and including, 5.… |
| CVE-2024-12622 | MEDIUM | 6.4 | 2024-12-24 | The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp_cart_button' and 'wp_cart_display_product' shortcodes in … |
| CVE-2024-12505 | MEDIUM | 6.4 | 2025-01-11 | The Trackserver plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tsmap' shortcode in all versions up to, and including, 5.0.2 due to insufficien… |
| CVE-2024-9416 | MEDIUM | 6.4 | 2025-04-03 | The Modula Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bundled FancyBox JavaScript library (versions <= 5.0.36) due to insuffi… |
| CVE-2025-2543 | MEDIUM | 6.4 | 2025-04-24 | The Advanced Accordion Gutenberg Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 5.0.2 due to in… |
| CVE-2025-5843 | MEDIUM | 6.4 | 2025-07-16 | The Brandfolder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 5.0.19 due to insufficient input san… |
| CVE-2025-8314 | MEDIUM | 6.4 | 2025-08-12 | The Software Issue Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘noaccess_msg parameter in all versions up to, and including, 5.0.1 due to ins… |
| CVE-2025-14745 | MEDIUM | 6.4 | 2026-01-23 | The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp-rss-aggregator' … |
| CVE-2025-14983 | MEDIUM | 6.4 | 2026-02-19 | The Advanced Custom Fields: Font Awesome Field plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 5.0.1 due to insufficient input san… |
| CVE-2026-2367 | MEDIUM | 6.4 | 2026-02-25 | The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ays_block' shortcode in all versions up … |
| CVE-2026-2358 | MEDIUM | 6.4 | 2026-03-11 | The WP ULike plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[wp_ulike_likers_box]` shortcode `template` attribute in all versions up to, and including,… |
| CVE-2026-6415 | MEDIUM | 6.4 | 2026-05-15 | The Advanced Custom Fields: Font Awesome plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.0.2. This is due to insufficient input… |
| CVE-2018-25106 | MEDIUM | 6.3 | 2024-12-23 | A vulnerability, which was classified as critical, has been found in webuidesigning NebulaX Theme up to 5.0 on WordPress. This issue affects the function nebula_send_to_hubspot of… |
| CVE-2018-20150 | MEDIUM | 6.1 | 2018-12-14 | In WordPress before 4.9.9 and 5.x before 5.0.1, crafted URLs could trigger XSS for certain use cases involving plugins. |
| CVE-2019-9576 | MEDIUM | 6.1 | 2019-03-05 | The Blog2Social plugin before 5.0.3 for WordPress allows wp-admin/admin.php?page=blog2social-ship XSS. |
| CVE-2016-10870 | MEDIUM | 6.1 | 2019-08-13 | The google-language-translator plugin before 5.0.06 for WordPress has XSS. |
| CVE-2015-9377 | MEDIUM | 6.1 | 2019-08-28 | iThemes Builder Theme Depot before 5.0.30 for WordPress has XSS via add_query_arg() and remove_query_arg(). |
| CVE-2020-11027 | MEDIUM | 6.1 | 2020-04-30 | In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password. Access would be needed to the email account of the user… |
| CVE-2021-24304 | MEDIUM | 6.1 | 2021-08-09 | The Newsmag WordPress theme before 5.0 does not sanitise the td_block_id parameter in its td_ajax_block AJAX action, leading to an unauthenticated Reflected Cross-site Scripting (… |
| CVE-2021-24648 | MEDIUM | 6.1 | 2022-02-01 | The RegistrationMagic WordPress plugin before 5.0.1.9 does not sanitise and escape the rm_search_value parameter before outputting back in an attribute, leading to a Reflected Cro… |
| CVE-2022-0683 | MEDIUM | 6.1 | 2022-02-24 | The Essential Addons for Elementor Lite WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the settings parameter found in the… |
| CVE-2023-1282 | MEDIUM | 6.1 | 2023-04-17 | The Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard WordPress plugin before 2.11.1 and Drag and Drop Multiple File Upload PRO - Contact Form 7 with Remote Storage… |
| CVE-2023-2362 | MEDIUM | 6.1 | 2023-06-12 | The Float menu WordPress plugin before 5.0.2, Bubble Menu WordPress plugin before 3.0.4, Button Generator WordPress plugin before 2.3.5, Calculator Builder WordPress plugin before… |
| CVE-2023-2320 | MEDIUM | 6.1 | 2023-07-04 | The CF7 Google Sheets Connector WordPress plugin before 5.0.2, cf7-google-sheets-connector-pro WordPress plugin through 5.0.2 does not escape a parameter before outputting it back… |
| CVE-2023-5348 | MEDIUM | 6.1 | 2023-12-18 | The Product Catalog Mode For WooCommerce WordPress plugin before 5.0.3 does not properly authorize settings updates or escape settings values, leading to stored XSS by unauthentic… |
| CVE-2024-3886 | MEDIUM | 6.1 | 2024-08-31 | The tagDiv Composer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘envato_code[]’ parameter in all versions up to, and including, 5.0 due to insuffi… |
| CVE-2024-5212 | MEDIUM | 6.1 | 2024-08-31 | The tagDiv Composer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘envato_code[]’ parameter in all versions up to, and including, 5.0 due to insuffi… |
| CVE-2024-12165 | MEDIUM | 6.1 | 2024-12-07 | The Mollie for Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 5.0.0 due to insu… |
| CVE-2024-12737 | MEDIUM | 6.1 | 2025-02-26 | The WP BASE Booking of Appointments, Services and Events WordPress plugin before 5.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a… |
| CVE-2025-1288 | MEDIUM | 6.1 | 2025-05-15 | The WOOEXIM WordPress plugin through 5.0.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make an unauth… |
| CVE-2025-5082 | MEDIUM | 6.1 | 2025-05-28 | The WP Attachments plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘attachment_id’ parameter in all versions up to, and including, 5.0.12 due to insuf… |
| CVE-2025-12398 | MEDIUM | 6.1 | 2025-12-21 | The Product Table for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'search_key' parameter in all versions up to, and including, 5.0.8 d… |
| CVE-2025-14875 | MEDIUM | 6.1 | 2026-01-07 | The HBLPAY Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘cusdata’ parameter in all versions up to, and including, 5… |
| CVE-2025-14375 | MEDIUM | 6.1 | 2026-01-16 | The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘className’ parameter in a… |
| CVE-2026-2433 | MEDIUM | 6.1 | 2026-03-07 | The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via postMessage in all versions up… |
| CVE-2025-58674 | MEDIUM | 5.9 | 2025-09-23 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the iss… |
| CVE-2026-1867 | MEDIUM | 5.9 | 2026-03-11 | The Guest posting / Frontend Posting / Front Editor WordPress plugin before 5.0.6 allows passing a URL parameter to regenerate a .json file based on demo data that it initially c… |
| CVE-2020-11025 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires … |
| CVE-2020-11028 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been pat… |
| CVE-2020-11029 | MEDIUM | 5.8 | 2020-04-30 | In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been… |
| CVE-2020-4048 | MEDIUM | 5.7 | 2020-06-12 | In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect wh… |
| CVE-2025-2939 | MEDIUM | 5.6 | 2025-06-03 | The Ninja Tables – Easy Data Table Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.0.18 via deserialization of untrusted… |
| CVE-2018-20149 | MEDIUM | 5.4 | 2018-12-14 | In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS… |
| CVE-2018-20153 | MEDIUM | 5.4 | 2018-12-14 | In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could modify new comments made by users with greater privileges, possibly causing XSS. |
| CVE-2020-4046 | MEDIUM | 5.4 | 2020-06-12 | In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor… |
| CVE-2021-24128 | MEDIUM | 5.4 | 2021-03-18 | Unvalidated input and lack of output encoding in the Team Members WordPress plugin, versions before 5.0.4, lead to Cross-site scripting vulnerabilities allowing medium-privileged … |
| CVE-2023-0378 | MEDIUM | 5.4 | 2023-02-21 | The Greenshift WordPress plugin before 5.0 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could … |
| CVE-2023-6197 | MEDIUM | 5.4 | 2023-11-20 | The Audio Merchant plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.0.4. This is due to missing or incorrect nonce validati… |
| CVE-2024-4135 | MEDIUM | 5.4 | 2024-05-08 | The WP Latest Posts plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.0.7. This is due to the plugin allowing users to ex… |
| CVE-2024-12772 | MEDIUM | 5.4 | 2025-01-31 | The Ninja Tables WordPress plugin before 5.0.17 does not sanitize and escape a parameter before outputting it back in the page when importing a CSV, leading to a Cross Site Scrip… |
| CVE-2025-7711 | MEDIUM | 5.4 | 2025-11-17 | The The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5… |
| CVE-2026-1103 | MEDIUM | 5.4 | 2026-01-24 | The AIKTP plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the /aiktp/getToken REST API endpoint in all versions up t… |
| CVE-2026-4056 | MEDIUM | 5.4 | 2026-03-24 | The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the Content Access Rules REST API e… |
| CVE-2022-4097 | MEDIUM | 5.3 | 2022-12-12 | The All-In-One Security (AIOS) WordPress plugin before 5.0.8 is susceptible to IP Spoofing attacks, which can lead to bypassed security features (like IP blocks, rate limiting, br… |
| CVE-2023-49162 | MEDIUM | 5.3 | 2023-12-21 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in BigCommerce BigCommerce For WordPress.This issue affects BigCommerce For WordPress: from n/a through 5.… |
| CVE-2023-34001 | MEDIUM | 5.3 | 2024-06-04 | Improper Restriction of Excessive Authentication Attempts vulnerability in WPPlugins – WordPress Security Plugins Hide My WP Ghost allows Functionality Bypass.This issue affects H… |
| CVE-2025-11518 | MEDIUM | 5.3 | 2025-10-11 | The WPC Smart Wishlist for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.3 via several wishlist AJAX… |
| CVE-2025-13419 | MEDIUM | 5.3 | 2026-01-07 | The Guest posting / Frontend Posting / Front Editor – WP Front User Submit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability chec… |
| CVE-2026-0718 | MEDIUM | 5.3 | 2026-04-16 | The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check… |
| CVE-2023-6844 | MEDIUM | 5.0 | 2024-05-23 | The iframe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to and including 5.0 due to insufficient input saniti… |
| CVE-2024-32111 | MEDIUM | 5.0 | 2024-06-25 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Automattic WordPress allows Relative Path Traversal.This issue affects WordPress: f… |
| CVE-2015-9439 | MEDIUM | 4.8 | 2019-09-26 | The addthis plugin before 5.0.13 for WordPress has CSRF with resultant XSS via the wp-admin/options-general.php?page=addthis_social_widget pubid parameter. |
| CVE-2021-24608 | MEDIUM | 4.8 | 2021-10-25 | The Formidable Form Builder – Contact Form, Survey & Quiz Forms Plugin for WordPress plugin before 5.0.07 does not sanitise and escape its Form's Labels, allowing high privileged … |
| CVE-2021-24707 | MEDIUM | 4.8 | 2022-02-01 | The Learning Courses WordPress plugin before 5.0 does not sanitise and escape the Email PDT identity token settings, which could allow high privilege users to perform cross-Site S… |
| CVE-2022-1095 | MEDIUM | 4.8 | 2022-06-27 | The Mihdan: No External Links WordPress plugin before 5.0.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stor… |
| CVE-2022-3469 | MEDIUM | 4.8 | 2022-11-14 | The WP Attachments WordPress plugin before 5.0.5 does not sanitize and escapes some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-S… |
| CVE-2022-4330 | MEDIUM | 4.8 | 2023-01-16 | The WP Attachments WordPress plugin before 5.0.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Si… |
| CVE-2023-2709 | MEDIUM | 4.8 | 2023-07-10 | The AN_GradeBook WordPress plugin through 5.0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Sit… |
| CVE-2023-3225 | MEDIUM | 4.8 | 2023-07-10 | The Float menu WordPress plugin before 5.0.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site S… |
| CVE-2023-1112 | MEDIUM | 4.7 | 2023-03-01 | A vulnerability was found in Drag and Drop Multiple File Upload Contact Form 7 5.0.6.1 on WordPress. It has been classified as critical. Affected is an unknown function of the fil… |
| CVE-2025-12569 | MEDIUM | 4.7 | 2025-11-24 | The Guest posting / Frontend Posting / Front Editor WordPress plugin before 5.0.0 does not validate a parameter before redirecting the user to its value, leading to an Open Redir… |
| CVE-2024-12045 | MEDIUM | 4.4 | 2025-01-08 | The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the maker title value of the Googl… |
| CVE-2026-2289 | MEDIUM | 4.4 | 2026-03-04 | The Taskbuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 5.0.3 due to insufficient input sanitiza… |
| CVE-2013-3254 | MEDIUM | 4.3 | 2013-05-10 | Cross-site scripting (XSS) vulnerability in wp-admin/admin.php in the WP Photo Album Plus plugin before 5.0.3 for WordPress allows remote attackers to inject arbitrary web script … |
| CVE-2014-7152 | MEDIUM | 4.3 | 2014-09-26 | Cross-site scripting (XSS) vulnerability in the Easy MailChimp Forms plugin 3.0 through 5.0.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via the … |
| CVE-2023-39999 | MEDIUM | 4.3 | 2023-10-13 | Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 thr… |
| CVE-2024-0369 | MEDIUM | 4.3 | 2024-03-13 | The Bulk Edit Post Titles plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bulkUpdatePostTitles function in all ver… |
| CVE-2024-0829 | MEDIUM | 4.3 | 2024-03-13 | The Comments Extra Fields For Post,Pages and CPT plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.0. This is due to missing or i… |
| CVE-2024-0830 | MEDIUM | 4.3 | 2024-03-13 | The Comments Extra Fields For Post,Pages and CPT plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.0. This is due to missing… |
| CVE-2024-5449 | MEDIUM | 4.3 | 2024-06-06 | The WP Dark Mode – WordPress Dark Mode Plugin for Improved Accessibility, Dark Theme, Night Mode, and Social Sharing plugin for WordPress is vulnerable to unauthorized modificatio… |
| CVE-2024-8432 | MEDIUM | 4.3 | 2024-09-24 | The Appointment & Event Booking Calendar Plugin – Webba Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the sa… |
| CVE-2024-8552 | MEDIUM | 4.3 | 2024-09-26 | The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the enable_shop() function in all versions up to,… |
| CVE-2024-10092 | MEDIUM | 4.3 | 2024-10-26 | The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_handle_api_key_actions function in all v… |
| CVE-2024-10399 | MEDIUM | 4.3 | 2024-10-30 | The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_search_users function in all versions up… |
| CVE-2025-58246 | MEDIUM | 4.3 | 2025-09-23 | Insertion of Sensitive Information Into Sent Data vulnerability in WordPress allows Retrieve Embedded Sensitive Data. The WordPress Core security team is aware of the issue and is… |
| CVE-2025-8682 | MEDIUM | 4.3 | 2025-10-11 | The Newsup theme for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the newsup_admin_info_install_plugin() function in all versio… |
| CVE-2025-11895 | MEDIUM | 4.3 | 2025-10-17 | The Binary MLM Plan plugin for WordPress is vulnerable to insecure direct object reference in versions up to, and including, 5.0. This is due to the bmp_user_payout_detail_of_curr… |
| CVE-2025-11742 | MEDIUM | 4.3 | 2025-10-18 | The WPC Smart Wishlist for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wishlist_quickview' AJAX action … |
| CVE-2026-1640 | MEDIUM | 4.3 | 2026-02-18 | The Taskbuilder – WordPress Project Management & Task Management plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.0.2. This is du… |
| CVE-2026-4066 | MEDIUM | 4.3 | 2026-03-23 | The Smart Custom Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relational_posts_search() function in all versio… |
| CVE-2020-4050 | LOW | 3.5 | 2020-06-12 | In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plu… |
| CVE-2020-4049 | LOW | 2.4 | 2020-06-12 | In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes p… |
| CVE-2026-0682 | LOW | 2.2 | 2026-01-17 | The Church Admin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.28 due to insufficient validation of user-supplied URL… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 5.0's 161 vulnerabilities—including 15 critical flaws that allow complete site takeover—represent a serious security risk that demands immediate action. Delaying updates exposes your website, customer data, and reputation to active exploitation by cybercriminals. The good news is that upgrading to a current WordPress version resolves virtually all known issues and takes just minutes to complete.
Don't leave your business vulnerable another day. Use SiteRecipe.com's security scanning and monitoring tools to identify vulnerabilities across your WordPress installation, track your plugin versions, and receive alerts about new threats. Our platform makes it simple to stay secure with automated update tracking and comprehensive vulnerability reports. Visit SiteRecipe.com today to scan your site for free and protect what matters most.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.