Home / Blog / wordpress 5.2
Security Advisory

WordPress 5.2 Vulnerabilities: 133 Critical CVEs Explained

šŸ“… June 01, 2026 Ā·ā± 5 min read Ā·šŸ”’ SiteRecipe Security Team
āš  9,000 websites still running wordpress 5.2  ā†’ View full list
133
Total
9
Critical
29
High
92
Medium
3
Low

WordPress 5.2, released in 2019, contains 133 known security vulnerabilities that put your website at serious risk. Among these are 9 critical CVEs that could allow attackers to take control of your site, steal data, or inject malicious code. An estimated 9,000 websites still run this outdated version, making them prime targets for cybercriminals.

The most dangerous vulnerabilities in WordPress 5.2 include Server-Side Request Forgery (SSRF) attacks and SQL injection flaws through popular plugins. These aren't theoretical threatsā€”they're being actively exploited in the wild. If your site hasn't been updated, you could be compromised without even knowing it.

This guide explains what WordPress 5.2 vulnerabilities are, how to check if your site is at risk, and the exact steps to secure your installation.

What is Wordpress 5.2?

WordPress 5.2 is a version of WordPress released in May 2019. WordPress is the content management system that powers over 43% of all websites on the internet. Think of it as the "engine" that runs your blog, business website, or online store. WordPress 5.2 was a major release that introduced new features and improvements, but it also contained security weaknesses that weren't fully understood at the time.

Vulnerabilities are like unlocked doors in your website's security system. Attackers can exploit these weaknesses to break in, steal customer information, display malware, or take complete control of your site. WordPress 5.2's 133 vulnerabilitiesā€”especially the 9 critical onesā€”are like having 9 completely unlocked front doors while intruders are actively trying to break in. The good news: these vulnerabilities are fixable with updates.

Key Vulnerabilities in Wordpress 5.2

133 CVEs found. The most critical are explained below.

CRITICAL CVE-2019-17669 9.8/10 Ā· CVSS v3.1 ā± Immediate
WordPress URL Validation Bypass

WordPress has a security weakness in how it validates website addresses. Attackers can trick your WordPress site into making requests to internal systems or other websites by using special character formats that bypass the safety checks.

Impact: An attacker could potentially access sensitive internal data, files, or systems connected to your website that should be private.

ā†— View on NVD
CRITICAL CVE-2019-17670 9.8/10 Ā· CVSS v3.1 ā± Immediate
WordPress Windows Path Security Flaw

WordPress doesn't properly handle Windows file paths when checking if URLs are safe. This allows attackers to bypass security checks and make your server request restricted content.

Impact: Attackers could gain unauthorized access to internal systems, files, or sensitive information stored on your server.

ā†— View on NVD
CRITICAL CVE-2022-0254 9.8/10 Ā· CVSS v3.1 ā± Immediate
Zero Spam Plugin Database Attack

The Zero Spam plugin has a flaw where it doesn't properly clean user input before searching your database. Attackers can inject malicious code into search parameters to access or manipulate your database.

Impact: Hackers could steal, modify, or delete important website data, or gain access to sensitive information like user details.

ā†— View on NVD
CRITICAL CVE-2022-0771 9.8/10 Ā· CVSS v3.1 ā± Immediate
SiteSuperCharger Plugin Database Injection

The SiteSuperCharger plugin doesn't validate user inputs before using them in database queries. Anyone, including people without login access, can exploit this to inject harmful database commands.

Impact: Attackers could completely compromise your website data, steal user information, modify content, or take full control of your site.

ā†— View on NVD
CRITICAL CVE-2022-3477 9.8/10 Ā· CVSS v3.1 ā± Immediate
Newspaper Theme Fake Facebook Login Flaw

The Newspaper and Newsmag themes have a broken Facebook login feature that doesn't properly verify user identity. Attackers can fake being any user by just knowing their email address.

Impact: Anyone could log into user accounts without knowing passwords, gaining access to private information and the ability to impersonate other users.

ā†— View on NVD
CRITICAL CVE-2022-4050 9.8/10 Ā· CVSS v3.1 ā± Immediate
JoomSport Plugin Database Injection

The JoomSport plugin fails to properly clean user input before using it in database commands. Attackers can inject malicious code to access or manipulate your database without needing any special access.

Impact: Hackers could steal sensitive data, modify website content, create fake accounts, or take control of your entire WordPress site.

ā†— View on NVD

Additional Vulnerabilities (127 more)

Showing first 10 of 127. View all on NVD ā†—

CVE IDSeverityScore PublishedDescription
CVE-2023-2499 CRITICAL 9.8 2023-05-16 The RegistrationMagic plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.2.1.0. This is due to insufficient verification on the user bā€¦
CVE-2024-12922 CRITICAL 9.8 2025-03-19 The Altair theme for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check within functions.php in aā€¦
CVE-2019-25224 CRITICAL 9.8 2025-07-25 The WP Database Backup plugin for WordPress is vulnerable to OS Command Injection in versions before 5.2 via the mysqldump function. This vulnerability allows unauthenticated attaā€¦
CVE-2019-17675 HIGH 8.8 2019-10-17 WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages, possibly leading to CSRF.
CVE-2021-25051 HIGH 8.8 2022-01-10 The Modal Window WordPress plugin before 5.2.2 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// proā€¦
CVE-2025-2319 HIGH 8.8 2025-03-25 The EZ SQL Reports Shortcode Widget and DB Backup plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 4.11.13 to 5.25.08. This is due to missing or incorrā€¦
CVE-2026-1566 HIGH 8.8 2026-03-03 The LatePoint ā€“ Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and includā€¦
CVE-2020-11026 HIGH 8.7 2020-04-30 In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an auā€¦
CVE-2024-6420 HIGH 8.6 2024-07-23 The Hide My WP Ghost WordPress plugin before 5.2.02 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to aā€¦
CVE-2022-0403 HIGH 8.1 2022-04-04 The Library File Manager WordPress plugin before 5.2.3 is using an outdated version of the elFinder library, which is know to be affected by security issues (CVE-2021-32682), and ā€¦
Full Report Available

All 133 CVEs with AI explanations + fix guide

Plain English Ā· Fix recommendations Ā· Instant PDF & HTML download

$1/report
ā¬‡ Get Full Report ā€” $1
PDF + HTML Ā· Instant download

Is your website running Wordpress 5.2?

Scan your site in 30 seconds. Used by 500+ web agencies.

Scan my website ā€” free šŸ“‹ See all 9,000 affected sites

How to Check If Your Website Is Affected

How to Fix These Vulnerabilities

Conclusion

WordPress 5.2 is dangerously outdated with 9 critical vulnerabilities that hackers actively exploit. Staying on this version puts your business, customer data, and reputation at serious risk. The good news is that updating takes minutes and immediately closes the majority of these security holes.

Don't wait for a breach to happen. Use SiteRecipe.com's free security scanning tool to instantly identify all vulnerabilities on your WordPress site, get personalized fix recommendations, and monitor your security continuously. Our platform makes it simple to stay ahead of threats so you can focus on growing your business instead of worrying about security.

Frequently Asked Questions

Is WordPress 5.2 still supported with security updates?
No. WordPress 5.2 reached end-of-life in 2020 and no longer receives security patches. WordPress only supports the current version and previous two major releases with security updates. You must upgrade immediately to receive protection.
Will updating WordPress break my website?
Modern WordPress updates are designed to be backward compatible and rarely cause issues. By backing up first (as outlined in our fix guide), you can safely roll back if needed. Most sites experience zero problems during updates. SiteRecipe can help monitor your site during the process.
Can hackers exploit these vulnerabilities if my site looks fine?
Yes, absolutely. Many exploits happen silently in the backgroundā€”you won't see any visible signs of compromise. Attackers may steal data, inject malware into pages, or redirect visitors without you noticing for weeks. This is why regular security scanning is critical.
How often should I update WordPress after upgrading from 5.2?
Enable automatic updates for minor security releases in WordPress settings. For major updates, check monthly and update within 1-2 weeks of release. Security vulnerabilities are disclosed regularly, and prompt updates are your best defense against exploitation.
What if I can't update due to plugin compatibility issues?
Contact your plugin developers to request updates, or switch to actively maintained alternatives. If a plugin hasn't been updated in years, it's likely abandoned and poses its own security risk. SiteRecipe can identify problematic plugins and recommend replacements.

Generate white-label reports for your clients

Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.

Free scan Agency plans šŸ“‹ 9,000 affected sites
DISCLAIMER: This report is based on publicly available CVE data from the National Vulnerability Database (NVD) maintained by NIST. Detection of a technology version does not confirm active exploitation on any specific website. For informational purposes only. SiteRecipe is not responsible for actions taken based on this report. Always consult a qualified security professional.

Source: nvd.nist.gov Ā· Published: June 01, 2026 Ā· SiteRecipe.com