WordPress 5.0.4 is running on nearly 3,000 websites worldwide, but security researchers have discovered 9 significant vulnerabilities that put your site at serious risk. These flaws range from critical privilege escalation attacks to Cross-Site Request Forgery (CSRF) exploits that could compromise your data and user information. If you're still using this outdated version, it's time to take action and understand exactly what threats you're facing.
This comprehensive guide will walk you through identifying whether your site is vulnerable, understanding the specific threats, and implementing the security patches you need. We'll break down the technical details into simple terms so you can protect your WordPress installation immediately.
WordPress 5.0.4 is a release of WordPress, the world's most popular website platform, that was launched several years ago. It powers content management for blogs, business websites, online stores, and more. While WordPress itself is powerful and flexible, each version receives security updates only for a limited time before support ends. Version 5.0.4 is now considered outdated, and running it exposes your website to known security threats that hackers actively exploit.
When WordPress releases a new version, it often includes patches for discovered vulnerabilities. Staying on older versions like 5.0.4 means you're missing these critical security fixes. Additionally, many popular plugins that work with WordPress (like contact forms, audio players, and video uploaders) have their own vulnerabilities when used with outdated WordPress versions. Combining old WordPress with vulnerable plugins creates multiple entry points for attacks.
9 CVEs found. The most critical are explained below.
The Contact Form 7 plugin before version 5.0.4 has a security flaw that allows attackers to gain administrative privileges they shouldn't have. This happens because the plugin doesn't properly check user permissions when managing forms.
Impact: An attacker could gain full control of your website, access sensitive data, modify content, or inject malicious code that affects your visitors.
↗ View on NVDThe Audio Merchant plugin before version 5.0.4 is missing security checks that prevent unauthorized file uploads. An attacker can trick your website into uploading malicious files without needing to log in.
Impact: Attackers could upload harmful files to your server that could compromise your website's security, inject malware, or be used to attack your visitors.
↗ View on NVDThe Video Merchant plugin version 5.0.4 and earlier lacks proper security validation for file uploads. Attackers can exploit this to upload malicious files to your website without authentication.
Impact: Unauthorized files could be uploaded to your server, potentially containing malware or code that compromises your site and enables remote attacks.
↗ View on NVDThe Custom Post Types plugin before version 5.0.4 doesn't properly filter user input in custom fields. This allows attackers to inject malicious scripts that execute when others view the page.
Impact: Visitors to your site could have their data stolen, be redirected to malicious sites, or have their browsers infected with malware.
↗ View on NVDThe Team Members plugin before version 5.0.4 allows contributors or editors to inject malicious code through member biographies. This code runs when visitors view those profiles.
Impact: A compromised team member account could inject malware or steal visitor data, requiring you to remove the malicious content and audit your accounts.
↗ View on NVDThe Audio Merchant plugin before version 5.0.4 has missing security checks on its settings page. Attackers can trick your website into changing plugin settings without your permission.
Impact: Attackers could modify audio player settings, redirect users to malicious sites, or inject advertisements and malicious content into your audio player.
↗ View on NVDShowing first 10 of 3. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2024-5449 | MEDIUM | 4.3 | 2024-06-06 | The WP Dark Mode – WordPress Dark Mode Plugin for Improved Accessibility, Dark Theme, Night Mode, and Social Sharing plugin for WordPress is vulnerable to unauthorized modificatio… |
| CVE-2024-8432 | MEDIUM | 4.3 | 2024-09-24 | The Appointment & Event Booking Calendar Plugin – Webba Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the sa… |
| CVE-2025-11742 | MEDIUM | 4.3 | 2025-10-18 | The WPC Smart Wishlist for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wishlist_quickview' AJAX action … |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 5.0.4 contains 9 documented security vulnerabilities—1 critical, 2 high-severity, and 6 medium-severity—that affect thousands of websites. The most dangerous vulnerability is CVE-2018-20979, a critical privilege escalation flaw in the Contact Form 7 plugin that could allow attackers to gain unauthorized admin access to your site. Delayed patching puts your website, your users' data, and your business reputation at serious risk.
Don't leave your WordPress site exposed to these known threats. Visit SiteRecipe.com today to scan your website for vulnerabilities, get detailed security recommendations, and receive step-by-step guidance on patching your specific WordPress version. Our security experts can help you identify which of these 9 CVEs affect your site and implement fixes quickly. Start your free security assessment now and protect your WordPress installation before attackers do.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.