WordPress 5.2.2 contains 14 documented security vulnerabilities that pose serious risks to your website's safety. With one critical vulnerability and four high-severity flaws, administrators running this outdated version need to take immediate action. Approximately 28 websites are still using this vulnerable version, making them prime targets for cyberattacks.
In this comprehensive guide, we'll walk you through identifying if your WordPress installation is affected, understanding the risks involved, and implementing the necessary security fixes. Whether you're a small business owner or managing multiple sites, protecting your WordPress installation should be your top priority.
Don't let your website become another security statistic—learn how to safeguard your digital presence against these known threats.
WordPress 5.2.2 is an older release of WordPress, the world's most popular website platform used by over 43% of all websites on the internet. This particular version was released several years ago and is no longer receiving security updates from the official WordPress development team. Running outdated software is like leaving your front door unlocked—attackers actively search for known vulnerabilities in older versions to gain unauthorized access.
The vulnerabilities in WordPress 5.2.2 range from authentication bypass issues to remote code execution attacks that could allow hackers to take complete control of your website. These security flaws affect not only the core WordPress platform but also popular plugins that users rely on for functionality. Staying on an unsupported WordPress version puts your website data, visitor information, and business reputation at serious risk.
14 CVEs found. The most critical are explained below.
A flaw in the Facebook login feature allows attackers to log into any account on your site if they know someone's email address. They don't need a password or any special access—just the email is enough.
Impact: Attackers can hijack user accounts, access private information, post content as other users, and potentially take control of administrator accounts to damage your entire site.
↗ View on NVDThe Modal Window plugin has a security flaw that lets attackers run malicious code on your server. This happens through a feature that wasn't properly secured against attacks.
Impact: Hackers can take complete control of your website, steal all data, inject malware, redirect visitors to harmful sites, or use your server for cyberattacks.
↗ View on NVDWordPress doesn't properly verify that uploaded plugins are legitimate files. An attacker could trick an admin into uploading a fake plugin that actually contains harmful code.
Impact: Your website could be compromised through what appears to be a normal plugin installation, giving attackers full control over your site and data.
↗ View on NVDThe WP Activity Log plugin doesn't properly clean up user input, allowing attackers to inject hidden malicious code into your site's activity logs.
Impact: Visitors viewing activity logs could have their browsers hijacked, credentials stolen, or malware downloaded without knowing it. Your site's reputation could be damaged.
↗ View on NVDThe Super Page Cache plugin doesn't properly filter activity log data, allowing attackers to inject malicious scripts that run whenever the log is viewed.
Impact: Attackers can steal admin passwords, inject redirects to fake login pages, or install backdoors. Your website visitors could also be attacked through these injected scripts.
↗ View on NVDThe Mail On Update plugin can be manipulated through a forged request to change where email notifications are sent. Attackers can trick administrators into making these changes without realizing it.
Impact: Hackers could redirect all your important notifications to their own email address, allowing them to monitor site activity and intercept password reset emails.
↗ View on NVDShowing first 10 of 8. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2025-7400 | MEDIUM | 6.4 | 2025-10-07 | The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a post's Featured Image custom fields in all versions up to, and including… |
| CVE-2021-25028 | MEDIUM | 6.1 | 2022-01-24 | The Event Tickets WordPress plugin before 5.2.2 does not validate the tribe_tickets_redirect_to parameter before redirecting the user to the given value, leading to an arbitrary r… |
| CVE-2023-2362 | MEDIUM | 6.1 | 2023-06-12 | The Float menu WordPress plugin before 5.0.2, Bubble Menu WordPress plugin before 3.0.4, Button Generator WordPress plugin before 2.3.5, Calculator Builder WordPress plugin before… |
| CVE-2024-11943 | MEDIUM | 6.1 | 2024-12-07 | The 워드프레스 결제 심플페이 – 우커머스 결제 플러그인 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg() function without appropriate escaping on th… |
| CVE-2025-58674 | MEDIUM | 5.9 | 2025-09-23 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the iss… |
| CVE-2021-24471 | MEDIUM | 5.4 | 2021-08-16 | The YouTube Embed WordPress plugin before 5.2.2 does not validate, escape or sanitise some of its shortcode attributes, leading to Stored XSS issues by 1. using w, h, controls, cc… |
| CVE-2024-32111 | MEDIUM | 5.0 | 2024-06-25 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Automattic WordPress allows Relative Path Traversal.This issue affects WordPress: f… |
| CVE-2025-58246 | MEDIUM | 4.3 | 2025-09-23 | Insertion of Sensitive Information Into Sent Data vulnerability in WordPress allows Retrieve Embedded Sensitive Data. The WordPress Core security team is aware of the issue and is… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 5.2.2 is dangerously outdated and poses multiple serious security risks to your website. The presence of one critical vulnerability alongside four high-severity flaws means your site could be compromised at any moment. Taking the steps outlined in this guide—updating WordPress, securing your plugins, and auditing your accounts—are essential actions that every website owner must complete immediately.
Protecting your WordPress installation doesn't have to be complicated or time-consuming. SiteRecipe.com provides automated scanning tools and expert guidance to help you identify vulnerabilities, apply security patches, and maintain ongoing protection against emerging threats. Visit SiteRecipe.com today to scan your website for free and get a detailed security report that shows exactly what needs to be fixed. Don't wait until it's too late—secure your WordPress site now with SiteRecipe.com's comprehensive security solutions.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.