WordPress 5.3 contains a serious security issue: 108 documented vulnerabilities, including 5 critical flaws that could allow hackers to take over your website completely. If you're still running this version, your site is at significant risk. The good news? You can fix this problem quickly by understanding what vulnerabilities exist and how to patch them.
This guide walks you through identifying if your WordPress installation is vulnerable, understanding the specific threats, and implementing the fixes that will protect your website and your visitors' data. Even if you think you're safe, reading this could save you from a costly security breach.
WordPress 5.3 was released in November 2019 as a major update to the popular website platform. Like all software, it received security patches after release, but this particular version contains numerous unpatched vulnerabilities that make it dangerous to use today. These aren't theoretical threats—hackers actively exploit these known weaknesses to gain access to websites, steal data, and deploy malware.
The vulnerabilities in WordPress 5.3 span multiple categories: some allow attackers to upload malicious files, others enable them to bypass security protections, and several create SQL injection opportunities that expose your entire database. The 5 critical vulnerabilities are especially dangerous because they require no special access or authentication—any attacker on the internet can exploit them.
108 CVEs found. The most critical are explained below.
The Contact Form 7 plugin has a serious flaw that allows attackers to upload harmful files to your website by tricking the upload system with specially crafted filenames. Once uploaded, these files can give hackers complete control over your entire WordPress site.
Impact: Hackers could upload malware, steal customer data, send spam emails from your domain, or completely take over your website. Your site could be used to attack other websites.
↗ View on NVDWordPress has built-in protections to block dangerous code in comments and forms. This vulnerability allows attackers to sneak malicious JavaScript code past these protections using a trick with HTML formatting.
Impact: Hackers could inject malicious code that steals visitor information, hijacks user accounts, or spreads malware through your website.
↗ View on NVDThe wpDiscuz commenting plugin contains a vulnerability that allows attackers to directly access and manipulate your website's database through the comments section. They can read, modify, or delete any information stored in your database.
Impact: Complete exposure of your database including customer information, passwords, and all website content. Attackers could modify or delete critical data.
↗ View on NVDThe tagDiv Composer plugin allows attackers to manipulate WordPress system components without needing a login. This creates a doorway for unauthorized access to your website's core functions.
Impact: Attackers could execute malicious actions on your website without authentication, potentially leading to data theft or site compromise.
↗ View on NVDThe article2pdf plugin has a flaw that allows attackers to access any files on your web server by manipulating the file path. They can download sensitive files like configuration files containing passwords and database credentials.
Impact: Exposure of critical files including database passwords, configuration files, and other sensitive information that could lead to complete site compromise.
↗ View on NVDThe flickrRSS plugin allows attackers to trick site administrators into changing website settings by clicking malicious links. The plugin doesn't properly verify that setting change requests come from authorized users.
Impact: Attackers could modify your website's critical settings, potentially redirecting traffic, inserting ads, or changing your site's functionality without your knowledge.
↗ View on NVDShowing first 10 of 102. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2021-42362 | HIGH | 8.8 | 2021-11-17 | The WordPress Popular Posts WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/src/Image.php file which makes i… |
| CVE-2022-0439 | HIGH | 8.8 | 2022-03-07 | The Email Subscribers & Newsletters WordPress plugin before 5.3.2 does not correctly escape the `order` and `orderby` parameters to the `ajax_fetch_report_list` action, making it … |
| CVE-2023-0940 | HIGH | 8.8 | 2023-03-20 | The ProfileGrid WordPress plugin before 5.3.1 provides an AJAX endpoint for resetting a user password but does not implement proper authorization. This allows a user with low priv… |
| CVE-2021-4337 | HIGH | 8.8 | 2023-06-07 | Sixteen XforWooCommerce Add-On Plugins for WordPress are vulnerable to authorization bypass due to a missing capability check on the wp_ajax_svx_ajax_factory function in various v… |
| CVE-2023-0579 | HIGH | 8.8 | 2023-08-16 | The YARPP WordPress plugin before 5.30.3 does not validate and escape some of its shortcode attributes before using them in SQL statement/s, which could allow any authenticated us… |
| CVE-2023-6979 | HIGH | 8.8 | 2024-01-11 | The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ivole_import_upload_csv AJAX action in… |
| CVE-2024-1990 | HIGH | 8.8 | 2024-04-09 | The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to blind SQL Injection via the ‘id’ parameter of t… |
| CVE-2024-1991 | HIGH | 8.8 | 2024-04-09 | The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to privilege escalation due to a missing capabilit… |
| CVE-2024-6756 | HIGH | 8.8 | 2024-07-24 | The Social Auto Poster plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpw_auto_poster_get_image_path' function in all ver… |
| CVE-2025-2158 | HIGH | 8.8 | 2025-05-10 | The WordPress Review Plugin: The Ultimate Solution for Building a Review Website plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5… |
| CVE-2026-5411 | HIGH | 8.8 | 2026-06-05 | The WP Captcha PRO (the premium version of the Advanced Google reCAPTCHA plugin, both have the same slug) plugin for WordPress is vulnerable to arbitrary file upload in all versio… |
| CVE-2026-5415 | HIGH | 8.8 | 2026-06-05 | The WP Captcha PRO (the premium version of the Advanced Google reCAPTCHA plugin, both have the same slug) plugin for WordPress is vulnerable to Authentication Bypass in all versio… |
| CVE-2024-9302 | HIGH | 8.1 | 2024-10-25 | The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and includi… |
| CVE-2024-10783 | HIGH | 8.1 | 2024-12-13 | The MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites plugin for WordPress is vulnerable to privilege escalation due to a missing authorization che… |
| CVE-2025-9539 | HIGH | 8.0 | 2025-09-09 | The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized modification of data due… |
| CVE-2024-31210 | HIGH | 7.6 | 2024-04-04 | WordPress is an open publishing platform for the Web. It's possible for a file of a type other than a zip file to be submitted as a new plugin by an administrative user on the Plu… |
| CVE-2010-4839 | HIGH | 7.5 | 2011-09-14 | SQL injection vulnerability in the Event Registration plugin 5.32 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the event_id parameter in… |
| CVE-2023-1874 | HIGH | 7.5 | 2023-04-12 | The WP Data Access plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.3.7. This is due to a lack of authorization checks on the multipl… |
| CVE-2022-3342 | HIGH | 7.5 | 2023-10-20 | The Jetpack CRM plugin for WordPress is vulnerable to PHAR deserialization via the ‘zbscrmcsvimpf’ parameter in the 'zeroBSCRM_CSVImporterLitehtml_app' function in versions up to,… |
| CVE-2024-6750 | HIGH | 7.3 | 2024-07-24 | The Social Auto Poster plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on multiple functions in all ver… |
| CVE-2019-13570 | HIGH | 7.2 | 2019-07-23 | The AJdG AdRotate plugin before 5.3 for WordPress allows SQL Injection. |
| CVE-2021-24140 | HIGH | 7.2 | 2021-03-18 | Unvalidated input in the Ajax Load More WordPress plugin, versions before 5.3.2, lead to SQL Injection in POST /wp-admin/admin-ajax.php with param repeater=' or sleep(5)#&type=tes… |
| CVE-2024-6753 | HIGH | 7.2 | 2024-07-24 | The Social Auto Poster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mapTypes’ parameter in the 'wpw_auto_poster_map_wordpress_post_type' AJAX functio… |
| CVE-2025-14151 | HIGH | 7.2 | 2025-12-19 | The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'outbound_resource' parameter in the slimtrack AJAX action in all versions up to, … |
| CVE-2025-15055 | HIGH | 7.2 | 2026-01-09 | The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'notes' and 'resource' parameters in all versions up to, and including, 5.3.4 due … |
| CVE-2025-15057 | HIGH | 7.2 | 2026-01-09 | The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fh` (fingerprint) parameter in all versions up to, and including, 5.3.3. This is … |
| CVE-2026-1238 | HIGH | 7.2 | 2026-03-19 | The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fh' (fingerprint) parameter in all versions up to, and including, 5.3.5 due to in… |
| CVE-2024-12400 | HIGH | 7.1 | 2025-01-30 | The tourmaster WordPress plugin before 5.3.5 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting. |
| CVE-2013-3258 | MEDIUM | 6.8 | 2014-06-02 | Cross-site request forgery (CSRF) vulnerability in he Digg Digg plugin before 5.3.5 for WordPress allows remote attackers to hijack the authentication of users for requests that m… |
| CVE-2024-4038 | MEDIUM | 6.5 | 2024-05-14 | The The Back In Stock Notifier for WooCommerce | WooCommerce Waitlist Pro plugin for WordPress for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, … |
| CVE-2024-6755 | MEDIUM | 6.5 | 2024-07-24 | The Social Auto Poster plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the ‘wpw_auto_poster_quick_delete_mult… |
| CVE-2024-13369 | MEDIUM | 6.5 | 2025-02-18 | The Tour Master - Tour Booking, Travel, Hotel plugin for WordPress is vulnerable to time-based SQL Injection via the ‘review_id’ parameter in all versions up to, and including, 5.… |
| CVE-2025-13431 | MEDIUM | 6.5 | 2026-02-11 | The SlimStat Analytics plugin for WordPress is vulnerable to time-based SQL Injection via the ‘args’ parameter in all versions up to, and including, 5.3.1 due to insufficient esca… |
| CVE-2023-2433 | MEDIUM | 6.4 | 2023-07-18 | The YARPP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'className' parameter in versions up to, and including, 5.30.3 due to insufficient input sanitizati… |
| CVE-2023-5161 | MEDIUM | 6.4 | 2023-09-27 | The Modal Window plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 5.3.5 due to insufficient input sanitization an… |
| CVE-2023-4482 | MEDIUM | 6.4 | 2023-10-20 | The Auto Amazon Links plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the style parameter in versions up to, and including, 5.3.1 due to insufficient input s… |
| CVE-2024-0837 | MEDIUM | 6.4 | 2024-04-06 | The Element Pack Elementor Addons (Header Footer, Free Template Library, Grid, Carousel, Table, Parallax Animation, Register Form, Twitter Grid) plugin for WordPress is vulnerable… |
| CVE-2024-2457 | MEDIUM | 6.4 | 2024-04-09 | The Modal Window – create popup modal window plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, … |
| CVE-2024-6752 | MEDIUM | 6.4 | 2024-07-24 | The Social Auto Poster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wp_name’ parameter in the 'wpw_auto_poster_map_wordpress_post_type' AJAX function… |
| CVE-2024-6894 | MEDIUM | 6.4 | 2024-09-05 | The RD Station plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 5.3.2 due to insufficient input sanitization and output esca… |
| CVE-2024-13527 | MEDIUM | 6.4 | 2025-01-28 | The Philantro – Donations and Donor Management plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes like 'donate' in all versions up to, a… |
| CVE-2025-1664 | MEDIUM | 6.4 | 2025-03-08 | The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Parallax slider in all version… |
| CVE-2025-3715 | MEDIUM | 6.4 | 2025-05-18 | The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-text parameter in all versions up to, and including, 5.3.5 due to insufficient… |
| CVE-2025-5286 | MEDIUM | 6.4 | 2025-05-29 | The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘additional_settings’ parameter in all versions up to, and including, 5.3.6 due to … |
| CVE-2025-5116 | MEDIUM | 6.4 | 2025-06-03 | The WP Plugin Info Card plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘containerid’ parameter in all versions up to, and including, 5.3.1 due to insuff… |
| CVE-2025-8440 | MEDIUM | 6.4 | 2025-09-27 | The Team Members plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the first and last name fields in all versions up to, and including, 5.3.5 due to insufficie… |
| CVE-2026-4785 | MEDIUM | 6.4 | 2026-04-08 | The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_caption' parameter in the [la… |
| CVE-2024-6751 | MEDIUM | 6.3 | 2024-07-24 | The Social Auto Poster plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.3.14. This is due to missing or incorrect nonce validat… |
| CVE-2018-25324 | MEDIUM | 6.2 | 2026-05-17 | Simple Fields 0.2 through 0.3.5 WordPress Plugin contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by injecting null byte… |
| CVE-2018-6466 | MEDIUM | 6.1 | 2018-02-06 | A cross-site scripting (XSS) vulnerability in flickrRSS.php in the flickrRSS plugin 5.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the flic… |
| CVE-2018-6468 | MEDIUM | 6.1 | 2018-02-06 | A cross-site scripting (XSS) vulnerability in flickrRSS.php in the flickrRSS plugin 5.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the flic… |
| CVE-2018-6469 | MEDIUM | 6.1 | 2018-02-06 | A cross-site scripting (XSS) vulnerability in flickrRSS.php in the flickrRSS plugin 5.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the flic… |
| CVE-2013-7479 | MEDIUM | 6.1 | 2019-08-22 | The events-manager plugin before 5.3.9 for WordPress has XSS in the search form field. |
| CVE-2013-7480 | MEDIUM | 6.1 | 2019-08-22 | The events-manager plugin before 5.3.6.1 for WordPress has XSS via the booking form and admin areas. |
| CVE-2019-20042 | MEDIUM | 6.1 | 2019-12-27 | In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the function wp_targeted_link_rel() can be used in a particular way to result in a stored cross-site scripting (XSS) vulne… |
| CVE-2022-0428 | MEDIUM | 6.1 | 2022-05-02 | The Content Egg WordPress plugin before 5.3.0 does not sanitise and escape the page parameter before outputting back in an attribute in the Autoblogging admin dashboard, leading t… |
| CVE-2023-2362 | MEDIUM | 6.1 | 2023-06-12 | The Float menu WordPress plugin before 5.0.2, Bubble Menu WordPress plugin before 3.0.4, Button Generator WordPress plugin before 2.3.5, Calculator Builder WordPress plugin before… |
| CVE-2024-1331 | MEDIUM | 6.1 | 2024-03-18 | The Team Members WordPress plugin before 5.3.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embe… |
| CVE-2024-8629 | MEDIUM | 6.1 | 2024-10-08 | The WooCommerce Multilingual & Multicurrency with WPML plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate esc… |
| CVE-2024-10825 | MEDIUM | 6.1 | 2024-11-15 | The Hide My WP Ghost – Security & Firewall plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the URL in all versions up to, and including, 5.3.01 due to ins… |
| CVE-2024-10103 | MEDIUM | 6.1 | 2024-11-19 | In the process of testing the MailPoet WordPress plugin before 5.3.2, a vulnerability was found that allows you to implement Stored XSS on behalf of the editor by embedding malic… |
| CVE-2024-11356 | MEDIUM | 6.1 | 2025-01-06 | The tourmaster WordPress plugin before 5.3.4 does not sanitise and escape some parameters when outputting them in the page, which could allow unauthenticated users to perform Cros… |
| CVE-2025-2804 | MEDIUM | 6.1 | 2025-03-28 | The tagDiv Composer plugin for WordPress, used by the Newspaper theme, is vulnerable to Reflected Cross-Site Scripting via the 'account_id' and 'account_username' parameters in al… |
| CVE-2025-1705 | MEDIUM | 6.1 | 2025-03-28 | The tagDiv Composer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.3. This is due to missing or incorrect nonce validatio… |
| CVE-2025-2806 | MEDIUM | 6.1 | 2025-05-08 | The tagDiv Composer plugin for WordPress, used by the Newspaper theme, is vulnerable to Reflected Cross-Site Scripting via the ‘data’ parameter in all versions up to, and includin… |
| CVE-2024-3472 | MEDIUM | 5.9 | 2024-05-02 | The Modal Window WordPress plugin before 5.3.10 does not have CSRF check in place when bulk deleting modals, which could allow attackers to make a logged in admin delete them via… |
| CVE-2025-58674 | MEDIUM | 5.9 | 2025-09-23 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the iss… |
| CVE-2019-16780 | MEDIUM | 5.8 | 2019-12-26 | WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is executed within the dashboard. This can… |
| CVE-2019-16781 | MEDIUM | 5.8 | 2019-12-26 | In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, which is executed within the dashboard. It… |
| CVE-2021-36872 | MEDIUM | 5.5 | 2021-09-23 | Authenticated Persistent Cross-Site Scripting (XSS) vulnerability in WordPress Popular Posts plugin (versions <= 5.3.3). Vulnerable at &widget-wpp[2][post_type]. |
| CVE-2018-0578 | MEDIUM | 5.4 | 2018-05-14 | Cross-site scripting vulnerability in PixelYourSite plugin prior to version 5.3.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vect… |
| CVE-2021-20746 | MEDIUM | 5.4 | 2021-06-28 | Cross-site scripting vulnerability in WordPress Popular Posts 5.3.2 and earlier allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors. |
| CVE-2021-24680 | MEDIUM | 5.4 | 2022-01-03 | The WP Travel Engine WordPress plugin before 5.3.1 does not escape the Description field in the Trip Destination/Activities/Trip Type and Pricing Category pages, allowing users wi… |
| CVE-2022-4485 | MEDIUM | 5.4 | 2023-01-23 | The Page-list WordPress plugin before 5.3 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a rol… |
| CVE-2022-4471 | MEDIUM | 5.4 | 2023-02-13 | The YARPP WordPress plugin before 5.30.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, whi… |
| CVE-2024-6754 | MEDIUM | 5.4 | 2024-07-24 | The Social Auto Poster plugin for WordPress is vulnerable to unauthorized modification of data to a missing capability check on the ‘wpw_auto_poster_update_tweet_template’ functio… |
| CVE-2025-9542 | MEDIUM | 5.4 | 2025-09-09 | The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized access and modification … |
| CVE-2022-40194 | MEDIUM | 5.3 | 2022-09-23 | Unauthenticated Sensitive Information Disclosure vulnerability in Customer Reviews for WooCommerce plugin <= 5.3.5 at WordPress |
| CVE-2024-1044 | MEDIUM | 5.3 | 2024-02-29 | The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'submit_review' function in a… |
| CVE-2022-4534 | MEDIUM | 5.3 | 2024-10-08 | The Limit Login Attempts (Spam Protection) plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 5.3. This is due to insufficient restriction… |
| CVE-2024-13794 | MEDIUM | 5.3 | 2025-02-12 | The WP Ghost (Hide My WP Ghost) – Security & Firewall plugin for WordPress is vulnerable to Login Page Dislcosure in all versions up to, and including, 5.3.02. This is due to the … |
| CVE-2026-5234 | MEDIUM | 5.3 | 2026-04-17 | The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2. The vulnerability exists because the OsStripeConn… |
| CVE-2024-0451 | MEDIUM | 5.0 | 2024-05-22 | The AI ChatBot plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the openai_file_list_callback function in all versions up to,… |
| CVE-2024-0452 | MEDIUM | 5.0 | 2024-05-22 | The AI ChatBot plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the openai_file_upload_callback function in all version… |
| CVE-2024-0453 | MEDIUM | 5.0 | 2024-05-22 | The AI ChatBot plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the openai_file_delete_callback function in all version… |
| CVE-2024-32111 | MEDIUM | 5.0 | 2024-06-25 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Automattic WordPress allows Relative Path Traversal.This issue affects WordPress: f… |
| CVE-2026-1249 | MEDIUM | 5.0 | 2026-02-14 | The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Server-Side Request Forgery in versions 5.3 to 5.10 via the 'load_lyric… |
| CVE-2025-10047 | MEDIUM | 4.9 | 2025-10-22 | The Email Tracker – Email Log, Email Open Tracking, Email Analytics & Email Management for WordPress Emails plugin for WordPress is vulnerable to SQL Injection via the 'orderby' p… |
| CVE-2024-0602 | MEDIUM | 4.4 | 2024-02-29 | The YARPP – Yet Another Related Posts Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 5.30.9 due … |
| CVE-2023-6495 | MEDIUM | 4.4 | 2024-06-19 | The YARPP – Yet Another Related Posts Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to and including 5.30.9 due to… |
| CVE-2013-1407 | MEDIUM | 4.3 | 2014-05-13 | Multiple cross-site scripting (XSS) vulnerabilities in the Events Manager plugin before 5.3.5 and Events Manager Pro plugin before 2.2.9 for WordPress allow remote attackers to in… |
| CVE-2019-20043 | MEDIUM | 4.3 | 2019-12-27 | In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mar… |
| CVE-2022-2144 | MEDIUM | 4.3 | 2022-07-17 | The Jquery Validation For Contact Form 7 WordPress plugin before 5.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in … |
| CVE-2022-38134 | MEDIUM | 4.3 | 2022-09-23 | Authenticated (subscriber+) Broken Access Control vulnerability in Customer Reviews for WooCommerce plugin <= 5.3.5 at WordPress. |
| CVE-2022-38470 | MEDIUM | 4.3 | 2022-09-23 | Cross-Site Request Forgery (CSRF) vulnerability in Customer Reviews for WooCommerce plugin <= 5.3.5 at WordPress. |
| CVE-2023-39999 | MEDIUM | 4.3 | 2023-10-13 | Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 thr… |
| CVE-2024-13405 | MEDIUM | 4.3 | 2025-02-19 | The Apptivo Business Site CRM plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.3. This is due to missing or incorrect nonce… |
| CVE-2025-58246 | MEDIUM | 4.3 | 2025-09-23 | Insertion of Sensitive Information Into Sent Data vulnerability in WordPress allows Retrieve Embedded Sensitive Data. The WordPress Core security team is aware of the issue and is… |
| CVE-2025-13393 | MEDIUM | 4.3 | 2026-01-10 | The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.3.1. This is due to insufficient valid… |
| CVE-2025-12075 | MEDIUM | 4.3 | 2026-02-18 | The Order Splitter for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wos_troubleshooting' AJAX endpoint i… |
| CVE-2026-5365 | MEDIUM | 4.3 | 2026-05-14 | The LatePoint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 5.3.2. This is due to missing nonce verification on the request_… |
| CVE-2026-7563 | MEDIUM | 4.3 | 2026-05-15 | The Classified Listing – AI-Powered Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 5.3.… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 5.3 is no longer safe to use in 2024. With 108 documented vulnerabilities and active exploitation by cybercriminals, staying on this version puts your business at serious risk. The update process takes just minutes and immediately eliminates the critical threats targeting your site. Don't wait for a breach to happen—update today and sleep soundly knowing your WordPress installation is secure.
SiteRecipe.com's security monitoring tools automatically scan your WordPress version, detect vulnerabilities, and alert you to necessary updates before hackers find your site. Visit SiteRecipe.com now to run a free security audit of your WordPress installation and get a personalized action plan to eliminate all 108 vulnerabilities in minutes.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.