    Home /
    Blog /
    wordpress 5.3.6
  

Security Advisory

WordPress 5.3.6 Security: 3 CVEs Explained & Fix Guide

    📅 June 07, 2026
    ·⏱ 5 min read
    ·🔒 SiteRecipe Security Team
  

⚠ 1 websites still running wordpress 5.3.6 → View full list

Total

High

Medium

WordPress 5.3.6 has been identified with three security vulnerabilities that could put your website at risk. While this older version of WordPress is no longer widely used, any site still running it needs immediate attention. In this guide, we'll break down the specific vulnerabilities, explain the risks in simple terms, and provide you with actionable steps to secure your site.

Whether you're a website owner, content creator, or small business operator, understanding these vulnerabilities is crucial for protecting your data and your visitors' information. We've created this comprehensive guide to help you assess your risk level and take the necessary steps to fix any security issues.

What is Wordpress 5.3.6?

WordPress 5.3.6 is an older version of WordPress, the popular website platform that powers millions of websites worldwide. This version was released in February 2020 and has since been replaced by much newer versions with significant improvements and security patches. If your site is still running WordPress 5.3.6, you're likely missing years of security updates and feature improvements that newer versions provide.

Just like any software, WordPress releases updates regularly to fix bugs, add new features, and most importantly, patch security vulnerabilities. When you don't update your WordPress version, your site becomes increasingly vulnerable to attacks because hackers know exactly which security holes exist in older versions. The three CVEs (Common Vulnerabilities and Exposures) found in WordPress 5.3.6 are a perfect example of why staying current is so important.

Key Vulnerabilities in Wordpress 5.3.6

3 CVEs found. The most critical are explained below.

HIGH CVE-2025-9539 8.0/10 · CVSS v3.1 ⏱ Immediate

AutomatorWP Plugin Missing Security Check

The AutomatorWP plugin has a security gap that allows someone to import and modify automations without proper permission verification. This is like leaving your automation rules accessible to anyone, even those who shouldn't have access.

Impact: Attackers could change your automated workflows, potentially disrupting business processes, sending unwanted communications, or modifying critical automation rules without your knowledge.

↗ View on NVD

MEDIUM CVE-2025-5286 6.4/10 · CVSS v3.1 ⏱ Within 7 days

Bold Page Builder Plugin Script Injection Vulnerability

The Bold Page Builder plugin doesn't properly clean user input in its settings, allowing malicious code to be stored in your website. This only affects users with Contributor access or higher, but the risk is real.

Impact: Someone with contributor access could inject harmful scripts that execute when visitors view pages, potentially stealing visitor information or redirecting users to malicious sites.

↗ View on NVD

MEDIUM CVE-2013-7480 6.1/10 · CVSS v3.0 ⏱ Within 30 days

Events Manager Plugin Script Injection in Forms

The Events Manager plugin has an older security issue in its booking forms that allows malicious code to be inserted and run. This affects how user information is processed through event booking.

Impact: Attackers could inject scripts into booking forms to steal visitor information, session data, or perform unauthorized actions on behalf of site visitors.

↗ View on NVD

Is your website running Wordpress 5.3.6?

Scan your site in 30 seconds. Used by 500+ web agencies.

Scan my website — free 📋 See all 1 affected sites

How to Check If Your Website Is Affected

1 Log into your WordPress admin dashboard and scroll to the bottom of the left sidebar to find your WordPress version number
2 If you see 'WordPress 5.3.6' displayed, your site is running this vulnerable version and needs immediate attention
3 Check your installed plugins: AutomatorWP, Bold Page Builder, and Events Manager are specifically vulnerable—go to Plugins in your dashboard and verify which versions you have

How to Fix These Vulnerabilities

1 Update WordPress immediately to the latest stable version by going to Dashboard > Updates and clicking 'Update Now' (backup your site first)
2 Update all plugins, especially AutomatorWP, Bold Page Builder, and Events Manager to their latest versions through Plugins > Update Available
3 If you use AutomatorWP, update to version 5.3.7 or higher; for Bold Page Builder, update beyond 5.3.6; and for Events Manager, update to 5.3.6.1 or newer
4 After all updates are complete, test your website thoroughly to ensure everything works correctly, then use a security scanner to verify no vulnerabilities remain

Conclusion

WordPress 5.3.6 contains vulnerabilities that could compromise your website's security, your business data, and your visitors' information. The good news is that these issues are completely fixable with straightforward updates. By following the steps in this guide, you can eliminate these security risks and enjoy a safer, more stable website.

Regularly checking for vulnerabilities and staying on top of updates is essential for any website owner. SiteRecipe.com offers powerful security scanning and vulnerability detection tools that make it easy to identify risks like these before hackers do. Start protecting your WordPress site today with a free scan at SiteRecipe.com and gain peace of mind knowing your website is secure.

Frequently Asked Questions

Is WordPress 5.3.6 still supported?

No, WordPress 5.3.6 is no longer supported and hasn't received security updates in years. WordPress typically supports versions for about 6-12 months after a major release. You should upgrade to the current WordPress version immediately to receive ongoing security patches and support.

What happens if I don't update these vulnerabilities?

If left unpatched, these vulnerabilities could allow hackers to inject malicious code into your website, modify data without authorization, or steal sensitive information. This could damage your reputation, result in data loss, and potentially harm your visitors.

Will updating WordPress break my website?

Modern WordPress updates are designed to be backward compatible and usually don't break websites. However, it's always best practice to backup your site first. After updating, test all key features and functionality to ensure everything works as expected.

How often should I check for WordPress vulnerabilities?

You should check for vulnerabilities at least monthly, and ideally enable automatic updates for security releases. Using a vulnerability scanner like SiteRecipe.com helps identify issues automatically so you don't have to remember to check manually.

Generate white-label reports for your clients

Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.

Free scan Agency plans 📋 1 affected sites

DISCLAIMER: This report is based on publicly available CVE data from the National Vulnerability Database (NVD) maintained by NIST. Detection of a technology version does not confirm active exploitation on any specific website. For informational purposes only. SiteRecipe is not responsible for actions taken based on this report. Always consult a qualified security professional.

Source: nvd.nist.gov · Published: June 07, 2026 · SiteRecipe.com