WordPress 5.1.1 is a vulnerable version with 42 documented security vulnerabilities, including 3 critical-level flaws that can compromise your entire website. If you're running this outdated version, hackers can exploit authentication bypasses, unauthorized password resets, and privilege escalation attacks. This guide will help you identify if your site is at risk and provide immediate steps to secure your WordPress installation.
Approximately 9000+ websites still run WordPress 5.1.1, making them easy targets for automated attacks. The most dangerous vulnerabilities include authentication bypass in the UserPro plugin, unauthorized password resets, and privilege escalation in popular contact form plugins. We'll walk you through checking your version and implementing fixes to protect your business.
WordPress 5.1.1 is an older version of WordPress, the platform that powers over 43% of all websites on the internet. Released in early 2019, this version is no longer supported by the WordPress development team, meaning security patches are no longer released. When WordPress versions stop receiving updates, they become increasingly vulnerable to hackers who exploit known weaknesses.
Think of WordPress like the foundation of your house—when it's outdated and unmaintained, cracks appear that burglars can use to break in. Version 5.1.1 has multiple "cracks" in its code, some of which allow attackers to take control of user accounts, reset passwords without permission, or gain administrator access without proper credentials. Running an outdated WordPress version is one of the biggest security risks any website owner can take.
42 CVEs found. The most critical are explained below.
The UserPro plugin has a serious flaw in its Facebook login feature that doesn't properly verify who is trying to log in. This means someone could pretend to be any existing user on your website without needing their password.
Impact: Attackers could access any user account, steal customer data, modify content, or take over admin accounts to control your entire website.
↗ View on NVDThe UserPro plugin's password reset feature doesn't properly check if the person requesting a reset should actually be allowed to reset that password. Attackers can exploit this to reset passwords for any account.
Impact: Hackers can reset passwords for any user account, including administrators, giving them complete access to those accounts without knowing the original passwords.
↗ View on NVDThe Fluent Forms plugin is missing a security check that would normally prevent regular users from accessing admin functions. This allows low-level users to perform actions only administrators should be able to do.
Impact: Attackers with basic user accounts can escalate their permissions to administrator level, gaining full control over your website and all its data.
↗ View on NVDWordPress versions before 5.1.1 don't properly filter what visitors type in comments, and a security protection called CSRF is not working correctly. This allows attackers to inject malicious code through comments.
Impact: Hackers can inject harmful code into your website through comments that executes on visitors' browsers, potentially stealing data or redirecting users to malicious sites.
↗ View on NVDThe UserPro plugin doesn't use proper security tokens (called nonces) to verify that form submissions are legitimate and come from your own website. This makes it vulnerable to Cross-Site Request Forgery attacks.
Impact: Attackers can trick users into unknowingly making changes to their accounts or website settings through malicious links or websites, even without logging in.
↗ View on NVDThe Projectopia project management plugin is missing a security check on one of its functions, allowing users without proper permissions to remove important logo files and disable functionality.
Impact: Unauthorized users can remove logos or damage website functionality, potentially causing your site to display incorrectly or stop working properly.
↗ View on NVDShowing first 10 of 36. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2026-5436 | HIGH | 8.1 | 2026-04-08 | The MW WP Form plugin for WordPress is vulnerable to Arbitrary File Move/Read in all versions up to and including 5.1.1. This is due to insufficient validation of the $name parame… |
| CVE-2024-31210 | HIGH | 7.6 | 2024-04-04 | WordPress is an open publishing platform for the Web. It's possible for a file of a type other than a zip file to be submitted as a new plugin by an administrative user on the Plu… |
| CVE-2024-2782 | HIGH | 7.5 | 2024-05-18 | The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing … |
| CVE-2024-4157 | HIGH | 7.5 | 2024-05-22 | The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and inc… |
| CVE-2025-13457 | HIGH | 7.5 | 2026-01-10 | The WooCommerce Square plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.1 via the get_token_by_id function due to … |
| CVE-2023-6007 | HIGH | 7.3 | 2023-11-22 | The UserPro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on multiple functions in all ve… |
| CVE-2023-2446 | MEDIUM | 6.5 | 2023-11-22 | The UserPro plugin for WordPress is vulnerable to sensitive information disclosure via the 'userpro' shortcode in versions up to, and including 5.1.1. This is due to insufficient … |
| CVE-2025-9260 | MEDIUM | 6.5 | 2025-09-03 | The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to PHP Object Injection in versions 5.1.16 to 6.1.1 v… |
| CVE-2024-2772 | MEDIUM | 6.4 | 2024-05-18 | The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form settings in al… |
| CVE-2024-4709 | MEDIUM | 6.4 | 2024-05-18 | The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘subject’ param… |
| CVE-2024-12697 | MEDIUM | 6.4 | 2024-12-21 | The real.Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 5.1.1 due to insufficient input sanitization and output escapi… |
| CVE-2025-13418 | MEDIUM | 6.4 | 2026-01-07 | The Responsive Pricing Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'plan_icons' parameter in all versions up to, and including, 5.1.12 due to i… |
| CVE-2025-15058 | MEDIUM | 6.4 | 2026-01-07 | The Responsive Pricing Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'table_currency' parameter in all versions up to, and including, 5.1.12 due … |
| CVE-2023-6008 | MEDIUM | 6.3 | 2023-11-22 | The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.1. This is due to missing or incorrect nonce validation on multi… |
| CVE-2022-3578 | MEDIUM | 6.1 | 2022-11-14 | The ProfileGrid WordPress plugin before 5.1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting |
| CVE-2023-2447 | MEDIUM | 6.1 | 2023-11-22 | The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.1. This is due to missing or incorrect nonce validation on the '… |
| CVE-2024-11032 | MEDIUM | 6.1 | 2024-11-26 | The Parsi Date plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, … |
| CVE-2025-4187 | MEDIUM | 5.9 | 2025-06-14 | The UserPro - Community and User Profile WordPress Plugin plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 5.1.10 via the userpro_fb… |
| CVE-2025-11467 | MEDIUM | 5.8 | 2025-12-11 | The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all ver… |
| CVE-2020-15038 | MEDIUM | 5.4 | 2020-06-24 | The SeedProd coming-soon plugin before 5.1.1 for WordPress allows XSS. |
| CVE-2023-0364 | MEDIUM | 5.4 | 2023-03-20 | The real.Kit WordPress plugin before 5.1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, w… |
| CVE-2023-0369 | MEDIUM | 5.4 | 2023-03-20 | The GoToWP WordPress plugin through 5.1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, wh… |
| CVE-2024-1333 | MEDIUM | 5.4 | 2024-03-18 | The Responsive Pricing Table WordPress plugin before 5.1.11 does not validate and escape some of its Pricing Table options before outputting them back in a page/post where the rel… |
| CVE-2026-4401 | MEDIUM | 5.4 | 2026-04-08 | The Download Monitor plugin for WordPress is vulnerable to Cross-Site Request Forgery in the `actions_handler()` and `bulk_actions_handler()` methods in `class-dlm-downloads-path.… |
| CVE-2023-5845 | MEDIUM | 5.3 | 2023-11-27 | The Simple Social Media Share Buttons WordPress plugin before 5.1.1 leaks password-protected post content to unauthenticated visitors in some meta tags |
| CVE-2025-12876 | MEDIUM | 5.3 | 2025-12-05 | The Projectopia – WordPress Project Management plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pto_delete_file AJA… |
| CVE-2024-32111 | MEDIUM | 5.0 | 2024-06-25 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Automattic WordPress allows Relative Path Traversal.This issue affects WordPress: f… |
| CVE-2023-3814 | MEDIUM | 4.9 | 2023-09-04 | The Advanced File Manager WordPress plugin before 5.1.1 does not adequately authorize its usage on multisite installations, allowing site admin users to list and read arbitrary fi… |
| CVE-2024-6703 | MEDIUM | 4.9 | 2024-07-27 | The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘description’ a… |
| CVE-2024-9528 | MEDIUM | 4.9 | 2024-10-05 | The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form label fields i… |
| CVE-2022-1568 | MEDIUM | 4.8 | 2022-05-30 | The Team Members WordPress plugin before 5.1.1 does not escape some of its Team settings, which could allow high privilege users such as admin to perform Cross-Site Scripting atta… |
| CVE-2024-6518 | MEDIUM | 4.4 | 2024-07-27 | The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via input fields in all… |
| CVE-2024-6520 | MEDIUM | 4.4 | 2024-07-27 | The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom error messag… |
| CVE-2024-6521 | MEDIUM | 4.4 | 2024-07-27 | The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via dropdown fields in … |
| CVE-2023-39999 | MEDIUM | 4.3 | 2023-10-13 | Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 thr… |
| CVE-2024-5053 | MEDIUM | 4.2 | 2024-09-01 | The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to unauthorized Malichimp API key update due to an ins… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 5.1.1 is dangerously outdated with 42 security vulnerabilities waiting to be exploited. Every day your site runs this version, you risk unauthorized access, data theft, and complete website takeover. The fix is straightforward: update to a current WordPress version, update all plugins, and verify your site hasn't been compromised. The entire process typically takes less than an hour and provides essential protection for your business.
Don't leave your website exposed to cybercriminals. Use SiteRecipe.com's free security scanner to check your WordPress version, identify vulnerable plugins, and receive a customized action plan to secure your site. Our tool also monitors for malware and configuration issues that hackers exploit. Protect your website today—your customers and business data depend on it.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.