WordPress 5.0.2 is currently running on 124 websites worldwide, but recent security analysis has uncovered 23 vulnerabilities that could put your site at serious risk. Among these, 7 are classified as HIGH severity, with potential impacts ranging from unauthorized data modification to SQL injection attacks. If you're running this version, immediate action is needed to protect your website and user data.
This comprehensive guide will walk you through identifying if your site is affected, understanding the specific threats, and implementing the necessary security updates. We'll cover the most critical CVEs discovered in WordPress 5.0.2 and provide step-by-step instructions to secure your installation.
WordPress 5.0.2 is an older release of the world's most popular website platform, powering over 43% of all websites on the internet. This version, released several years ago, contains the core WordPress system that allows users to create, publish, and manage website content without advanced coding knowledge. While it served its purpose at the time of release, security vulnerabilities have been discovered that modern attackers can exploit.
The vulnerabilities found in WordPress 5.0.2 aren't just theoretical risks—they're actively exploited by cybercriminals to gain unauthorized access, steal data, and compromise website functionality. These include Cross-Site Request Forgery (CSRF) attacks, SQL injection vulnerabilities, and unauthorized data modification issues. Even if you're running WordPress 5.0.2 with popular plugins and themes, your site could be vulnerable to attacks that bypass normal security checks.
23 CVEs found. The most critical are explained below.
The Superfly Responsive Menu plugin has a security gap that allows hackers to trick your site into deleting menu items without permission. This happens because the plugin doesn't properly verify that requests are legitimate before processing them.
Impact: An attacker could delete your website's navigation menus, disrupting how visitors navigate your site and potentially damaging your site's usability and SEO.
↗ View on NVDThe Divi Booster plugin before version 5.0.2 allows anyone, even visitors without accounts, to change your plugin's settings. Additionally, the plugin uses unsafe code processing that could allow attackers to execute malicious code.
Impact: Attackers could modify your website's appearance, functionality, or inject malicious code that affects all your visitors and potentially steals sensitive information.
↗ View on NVDWordPress allows administrators to upload plugin files, but this vulnerability lets them upload files that aren't actually plugins. If your site requests FTP credentials during installation, attackers could potentially gain server access.
Impact: A compromised admin account or social engineering could lead to full server access, allowing attackers to steal your entire website and customer data.
↗ View on NVDThe Giribaz File Manager plugin before 5.0.2 logs all file editing activity, including sensitive database passwords from your wp-config.php file. These logs are stored in an unprotected folder that anyone can access.
Impact: Hackers could read your database credentials and gain complete control over your website, customer data, and all stored information.
↗ View on NVDThe Responsive theme up to version 5.0.2 lacks proper permission checks on its footer editing feature. This allows anyone, including anonymous visitors, to change your website's footer content and inject malicious code.
Impact: Attackers could inject malware, phishing content, or redirect visitors to dangerous sites, damaging your reputation and potentially infecting your visitors' devices.
↗ View on NVDThe LTL Freight Quotes plugin has a SQL injection vulnerability, meaning attackers can inject malicious database commands through the plugin's parameters. The plugin doesn't properly filter user input before sending it to your database.
Impact: Attackers could steal sensitive data like customer information, orders, and pricing details, or completely corrupt your database and shut down your website.
↗ View on NVDShowing first 10 of 17. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2022-0420 | HIGH | 7.2 | 2022-03-07 | The RegistrationMagic WordPress plugin before 5.0.2.2 does not sanitise and escape the rm_form_id parameter before using it in a SQL statement in the Automation admin dashboard, a… |
| CVE-2021-24993 | MEDIUM | 6.5 | 2022-02-07 | The Ultimate Product Catalog WordPress plugin before 5.0.26 does not have authorisation and CSRF checks in some AJAX actions, which could allow any authenticated users, such as su… |
| CVE-2026-1639 | MEDIUM | 6.5 | 2026-02-18 | The Taskbuilder – WordPress Project Management & Task Management plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'order' and 'sort_by' parameters in a… |
| CVE-2025-14545 | MEDIUM | 6.5 | 2026-04-10 | The YML for Yandex Market WordPress plugin before 5.0.26 is vulnerable to Remote Code Execution via the feed generation process. |
| CVE-2024-7100 | MEDIUM | 6.4 | 2024-07-30 | The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_button shortcode in all versions up to, and including, 5.0.2 due to … |
| CVE-2024-12505 | MEDIUM | 6.4 | 2025-01-11 | The Trackserver plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tsmap' shortcode in all versions up to, and including, 5.0.2 due to insufficien… |
| CVE-2025-2543 | MEDIUM | 6.4 | 2025-04-24 | The Advanced Accordion Gutenberg Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 5.0.2 due to in… |
| CVE-2026-6415 | MEDIUM | 6.4 | 2026-05-15 | The Advanced Custom Fields: Font Awesome plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.0.2. This is due to insufficient input… |
| CVE-2023-2362 | MEDIUM | 6.1 | 2023-06-12 | The Float menu WordPress plugin before 5.0.2, Bubble Menu WordPress plugin before 3.0.4, Button Generator WordPress plugin before 2.3.5, Calculator Builder WordPress plugin before… |
| CVE-2023-2320 | MEDIUM | 6.1 | 2023-07-04 | The CF7 Google Sheets Connector WordPress plugin before 5.0.2, cf7-google-sheets-connector-pro WordPress plugin through 5.0.2 does not escape a parameter before outputting it back… |
| CVE-2025-58674 | MEDIUM | 5.9 | 2025-09-23 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the iss… |
| CVE-2023-34001 | MEDIUM | 5.3 | 2024-06-04 | Improper Restriction of Excessive Authentication Attempts vulnerability in WPPlugins – WordPress Security Plugins Hide My WP Ghost allows Functionality Bypass.This issue affects H… |
| CVE-2024-32111 | MEDIUM | 5.0 | 2024-06-25 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Automattic WordPress allows Relative Path Traversal.This issue affects WordPress: f… |
| CVE-2022-1095 | MEDIUM | 4.8 | 2022-06-27 | The Mihdan: No External Links WordPress plugin before 5.0.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stor… |
| CVE-2025-58246 | MEDIUM | 4.3 | 2025-09-23 | Insertion of Sensitive Information Into Sent Data vulnerability in WordPress allows Retrieve Embedded Sensitive Data. The WordPress Core security team is aware of the issue and is… |
| CVE-2026-1640 | MEDIUM | 4.3 | 2026-02-18 | The Taskbuilder – WordPress Project Management & Task Management plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.0.2. This is du… |
| CVE-2026-0682 | LOW | 2.2 | 2026-01-17 | The Church Admin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.28 due to insufficient validation of user-supplied URL… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 5.0.2 poses significant security risks with 23 documented vulnerabilities that could compromise your website's integrity and user trust. The HIGH-severity CVEs we've identified—including CSRF attacks, SQL injection, and unauthorized data modification—are actively exploited by attackers. Taking action now isn't optional; it's essential to protecting your site, your users' data, and your business reputation.
Don't leave your security to chance. Use SiteRecipe.com's comprehensive vulnerability scanning tool to identify all CVEs affecting your WordPress installation, get personalized remediation guidance, and receive ongoing monitoring alerts for emerging threats. Our platform makes it easy for site owners and developers to maintain security compliance without extensive technical knowledge. Start your free security audit today and take control of your WordPress site's protection.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.