WordPress 5.0.1 contains 48 documented security vulnerabilities, with 8 classified as critical threats to your website. These flaws expose your site to unauthorized access, data breaches, and complete system compromise. If you're still running this outdated version, you're operating with a significant security risk that attackers actively exploit. Our comprehensive guide walks you through identifying vulnerabilities and implementing essential security patches to protect your WordPress installation from these dangerous exploits.
WordPress 5.0.1 is an older version of WordPress, the world's most popular website building platform used by over 43% of all websites. Released in early 2019, this version introduced the block editor (Gutenberg) and various performance improvements. However, it was released before many critical security patches were developed and tested, leaving sites running this version vulnerable to modern attacks. WordPress 5.0.1 reached end-of-life years ago, meaning it no longer receives security updates from the official WordPress team. This means any vulnerabilities discovered after the version's release—and there have been many—remain unfixed unless you manually update your installation.
48 CVEs found. The most critical are explained below.
WordPress 5.0.1 has a security flaw where contributors (lower-level users) can exploit how the system handles media file information. Attackers can inject malicious code through a specific technical request that manipulates how WordPress processes attached files.
Impact: An attacker could gain unauthorized access to your website and execute malicious code, potentially stealing data, modifying content, or taking over your entire WordPress installation.
↗ View on NVDThe Shortcodes Ultimate plugin (before version 5.0.1) contains a critical flaw in how it processes shortcodes, which are small codes WordPress uses to add features. Attackers can exploit this to run their own code on your website.
Impact: Hackers can execute malicious commands on your server, compromise your database, steal customer information, or completely take over your website.
↗ View on NVDThe RegistrationMagic plugin's social login feature has a flaw where it doesn't properly verify user identity. If someone knows a valid username (which is often public), they can log in as that user without a password.
Impact: Attackers can log in as administrators or any other user, giving them full control over your website, ability to modify content, access sensitive data, or delete everything.
↗ View on NVDThe MW WP Form plugin doesn't properly check what type of files users are uploading. This allows attackers to upload dangerous files (like executables) that shouldn't be allowed on your website.
Impact: Malicious files uploaded to your server can be executed to gain control of your website, steal data, or use your server for other attacks.
↗ View on NVDThe LatePoint booking plugin has a flaw in how it processes database requests. An attacker can manipulate these requests to change any user's password, including administrator accounts.
Impact: Attackers can reset passwords for administrator accounts and gain complete control of your website without knowing the current password.
↗ View on NVDThe LatePoint booking plugin doesn't properly verify that booking customers are who they claim to be. This allows anyone to log in as any existing user, including admins, without providing a password.
Impact: Unauthorized users can access admin accounts and gain full control of your website, customer data, and all business operations.
↗ View on NVDShowing first 10 of 42. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2019-25217 | CRITICAL | 9.8 | 2024-10-16 | The SiteGround Optimizer plugin for WordPress is vulnerable to authorization bypass leading to Remote Code Execution and Local File Inclusion in versions up to, and including, 5.0… |
| CVE-2025-7444 | CRITICAL | 9.8 | 2025-07-18 | The LoginPress Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.0.1. This is due to insufficient verification on the user be… |
| CVE-2019-8942 | HIGH | 8.8 | 2019-02-20 | WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending wit… |
| CVE-2023-2636 | HIGH | 8.8 | 2023-07-17 | The AN_GradeBook WordPress plugin through 5.0.1 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by use… |
| CVE-2025-14124 | HIGH | 8.6 | 2026-01-05 | The Team WordPress plugin before 5.0.11 does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users… |
| CVE-2026-2592 | HIGH | 7.7 | 2026-02-17 | The Zarinpal Gateway for WooCommerce plugin for WordPress is vulnerable to Improper Access Control to Payment Status Update in all versions up to and including 5.0.16. This is due… |
| CVE-2018-20151 | HIGH | 7.5 | 2018-12-14 | In WordPress before 4.9.9 and 5.x before 5.0.1, the user-activation page could be read by a search engine's web crawler if an unusual configuration were chosen. The search engine … |
| CVE-2021-24862 | HIGH | 7.2 | 2022-01-10 | The RegistrationMagic WordPress plugin before 5.0.1.6 does not escape user input in its rm_chronos_ajax AJAX action before using it in a SQL statement when duplicating tasks in ba… |
| CVE-2025-2940 | HIGH | 7.2 | 2025-06-27 | The Ninja Tables – Easy Data Table Builder plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.18 via the args[url] paramet… |
| CVE-2026-1216 | HIGH | 7.2 | 2026-02-17 | The RSS Aggregator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'template' parameter in all versions up to, and including, 5.0.10 due to insufficie… |
| CVE-2020-4047 | MEDIUM | 6.8 | 2020-06-12 | In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way.… |
| CVE-2018-20147 | MEDIUM | 6.5 | 2018-12-14 | In WordPress before 4.9.9 and 5.x before 5.0.1, authors could modify metadata to bypass intended restrictions on deleting files. |
| CVE-2018-20152 | MEDIUM | 6.5 | 2018-12-14 | In WordPress before 4.9.9 and 5.x before 5.0.1, authors could bypass intended restrictions on post types via crafted input. |
| CVE-2022-4537 | MEDIUM | 6.5 | 2023-05-09 | The Hide My WP Ghost – Security Plugin plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 5.0.18. This is due to insufficient restrictions… |
| CVE-2024-7304 | MEDIUM | 6.4 | 2024-08-27 | The Ninja Tables – Easiest Data Table Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 5.0.12 d… |
| CVE-2024-9445 | MEDIUM | 6.4 | 2024-10-04 | The Display Medium Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's display_medium_posts shortcode in all versions up to, and including, 5.… |
| CVE-2025-5843 | MEDIUM | 6.4 | 2025-07-16 | The Brandfolder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 5.0.19 due to insufficient input san… |
| CVE-2025-8314 | MEDIUM | 6.4 | 2025-08-12 | The Software Issue Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘noaccess_msg parameter in all versions up to, and including, 5.0.1 due to ins… |
| CVE-2025-14745 | MEDIUM | 6.4 | 2026-01-23 | The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp-rss-aggregator' … |
| CVE-2025-14983 | MEDIUM | 6.4 | 2026-02-19 | The Advanced Custom Fields: Font Awesome Field plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 5.0.1 due to insufficient input san… |
| CVE-2026-2367 | MEDIUM | 6.4 | 2026-02-25 | The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ays_block' shortcode in all versions up … |
| CVE-2026-2358 | MEDIUM | 6.4 | 2026-03-11 | The WP ULike plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[wp_ulike_likers_box]` shortcode `template` attribute in all versions up to, and including,… |
| CVE-2018-20150 | MEDIUM | 6.1 | 2018-12-14 | In WordPress before 4.9.9 and 5.x before 5.0.1, crafted URLs could trigger XSS for certain use cases involving plugins. |
| CVE-2021-24648 | MEDIUM | 6.1 | 2022-02-01 | The RegistrationMagic WordPress plugin before 5.0.1.9 does not sanitise and escape the rm_search_value parameter before outputting back in an attribute, leading to a Reflected Cro… |
| CVE-2025-5082 | MEDIUM | 6.1 | 2025-05-28 | The WP Attachments plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘attachment_id’ parameter in all versions up to, and including, 5.0.12 due to insuf… |
| CVE-2025-14375 | MEDIUM | 6.1 | 2026-01-16 | The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘className’ parameter in a… |
| CVE-2026-2433 | MEDIUM | 6.1 | 2026-03-07 | The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via postMessage in all versions up… |
| CVE-2020-4048 | MEDIUM | 5.7 | 2020-06-12 | In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect wh… |
| CVE-2025-2939 | MEDIUM | 5.6 | 2025-06-03 | The Ninja Tables – Easy Data Table Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.0.18 via deserialization of untrusted… |
| CVE-2018-20149 | MEDIUM | 5.4 | 2018-12-14 | In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS… |
| CVE-2018-20153 | MEDIUM | 5.4 | 2018-12-14 | In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could modify new comments made by users with greater privileges, possibly causing XSS. |
| CVE-2020-4046 | MEDIUM | 5.4 | 2020-06-12 | In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor… |
| CVE-2024-12772 | MEDIUM | 5.4 | 2025-01-31 | The Ninja Tables WordPress plugin before 5.0.17 does not sanitize and escape a parameter before outputting it back in the page when importing a CSV, leading to a Cross Site Scrip… |
| CVE-2026-4056 | MEDIUM | 5.4 | 2026-03-24 | The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the Content Access Rules REST API e… |
| CVE-2015-9439 | MEDIUM | 4.8 | 2019-09-26 | The addthis plugin before 5.0.13 for WordPress has CSRF with resultant XSS via the wp-admin/options-general.php?page=addthis_social_widget pubid parameter. |
| CVE-2023-2709 | MEDIUM | 4.8 | 2023-07-10 | The AN_GradeBook WordPress plugin through 5.0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Sit… |
| CVE-2023-39999 | MEDIUM | 4.3 | 2023-10-13 | Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 thr… |
| CVE-2024-10092 | MEDIUM | 4.3 | 2024-10-26 | The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_handle_api_key_actions function in all v… |
| CVE-2024-10399 | MEDIUM | 4.3 | 2024-10-30 | The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_search_users function in all versions up… |
| CVE-2025-8682 | MEDIUM | 4.3 | 2025-10-11 | The Newsup theme for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the newsup_admin_info_install_plugin() function in all versio… |
| CVE-2020-4050 | LOW | 3.5 | 2020-06-12 | In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plu… |
| CVE-2020-4049 | LOW | 2.4 | 2020-06-12 | In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes p… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 5.0.1 poses an unacceptable security risk with 48 known vulnerabilities waiting to be exploited. The 8 critical flaws alone could allow attackers to hijack your site, steal user data, and inject malicious code—compromising your business reputation and customer trust. Updating to the latest WordPress version is non-negotiable for any responsible website owner. SiteRecipe.com provides automated vulnerability scanning, one-click patching, and continuous security monitoring to keep your WordPress installation protected. Don't wait for a breach to happen—secure your site today with SiteRecipe's comprehensive security suite and stop worrying about version vulnerabilities forever.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.