WordPress 5.6 contains a significant security risk with 59 documented vulnerabilities, including 6 critical issues that could allow attackers to gain administrative access to your website. While only 4 websites currently run this outdated version, those that do face serious threats including code injection, SQL injection, and unauthorized file uploads. If your site hasn't been updated in years, this guide will help you understand the risks and take immediate action.
The vulnerabilities in WordPress 5.6 range from privilege escalation attacks to directory traversal exploits. Attackers could potentially steal sensitive files, inject malicious code, or completely take over your website's admin account. This isn't theoretical—these vulnerabilities are well-documented and actively exploited by cybercriminals targeting outdated WordPress installations.
WordPress 5.6 is an older version of WordPress, the content management system that powers over 43% of all websites on the internet. Released in December 2020, it was eventually superseded by newer versions that included security patches and feature improvements. WordPress versions are numbered, and 5.6 simply means it's from the 5.x branch of the software. Think of it like your phone's operating system—older versions work, but they lack critical security updates that newer versions include.
When WordPress releases new versions, each update typically fixes known security holes and vulnerabilities discovered by the community. WordPress 5.6 was secure when released, but as hackers discovered vulnerabilities over time, newer versions patched them. If you're still running WordPress 5.6 today, your site is missing years worth of security fixes. It's similar to using an outdated antivirus—it might still work, but it's not protecting you against current threats.
59 CVEs found. The most critical are explained below.
The Events Manager plugin has a vulnerability that allows hackers to inject and run harmful code on your website. This means attackers can take control of your site's functionality and data.
Impact: Attackers could steal customer information, deface your website, send spam, or completely take over your site's operations.
↗ View on NVDThe RSVP Maker plugin has a weakness that lets hackers query and access your website's database directly without permission. They can see all the data stored in your database, including customer information and settings.
Impact: Hackers could steal customer data, event information, email addresses, and any other sensitive information stored in your database.
↗ View on NVDThe WooCommerce Payments plugin allows hackers who aren't even logged in to act as if they have administrator access to your store. They can make requests and changes as if they were a site owner.
Impact: Attackers could modify products, steal payment information, change settings, access customer data, or completely compromise your store.
↗ View on NVDThe Motors theme doesn't properly verify who someone is before letting them change passwords. This means hackers can take over any account, including administrator accounts, without knowing the current password.
Impact: Hackers can gain complete control of your website by taking over admin accounts and locking you out of your own site.
↗ View on NVDThe BookingPress Pro plugin doesn't check what type of files customers upload through booking forms. Hackers can upload dangerous files like executable code instead of legitimate documents.
Impact: Attackers could upload malicious files that give them server access, steal data, or infect your website with malware.
↗ View on NVDThe Icegram Express plugin has a flaw that allows administrators to access and read files anywhere on your server, not just their intended files. This includes sensitive system files and configuration data.
Impact: Admin users could access database passwords, API keys, and other confidential server information that could be used to compromise your entire hosting account.
↗ View on NVDShowing first 10 of 53. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2018-20967 | HIGH | 8.8 | 2019-08-14 | The wp-ultimate-csv-importer plugin before 5.6.1 for WordPress has CSRF. |
| CVE-2022-0410 | HIGH | 8.8 | 2022-03-07 | The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 5.6 does not sanitise and escape the id parameter before using it in a SQL statement via the refUrlDetails AJ… |
| CVE-2022-3769 | HIGH | 8.8 | 2022-11-28 | The OWM Weather WordPress plugin before 5.6.9 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users… |
| CVE-2024-3211 | HIGH | 8.8 | 2024-04-12 | The Shopping Cart & eCommerce Store plugin for WordPress is vulnerable to SQL Injection via the 'productid' attribute of the ec_addtocart shortcode in all versions up to, and incl… |
| CVE-2022-3763 | HIGH | 8.1 | 2022-11-21 | The Booster for WooCommerce WordPress plugin before 5.6.7, Booster Plus for WooCommerce WordPress plugin before 5.6.5, Booster Elite for WooCommerce WordPress plugin before 1.1.7 … |
| CVE-2022-44589 | HIGH | 8.1 | 2023-12-29 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in miniOrange miniOrange's Google Authenticator – WordPress Two Factor Authentication – 2FA , Two Factor, … |
| CVE-2024-31210 | HIGH | 7.6 | 2024-04-04 | WordPress is an open publishing platform for the Web. It's possible for a file of a type other than a zip file to be submitted as a new plugin by an administrative user on the Plu… |
| CVE-2022-4943 | HIGH | 7.5 | 2023-10-20 | The miniOrange's Google Authenticator plugin for WordPress is vulnerable to authorization bypass due to a missing capability check when changing plugin settings in versions up to,… |
| CVE-2024-5551 | HIGH | 7.5 | 2024-06-14 | The WP STAGING Pro WordPress Backup Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.6.0. This is due to missing or … |
| CVE-2024-13738 | HIGH | 7.3 | 2025-05-03 | The The Motors - Car Dealer, Rental & Listing WordPress theme theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.6.65. This… |
| CVE-2025-15041 | HIGH | 7.2 | 2026-02-19 | The BackWPup – WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing cap… |
| CVE-2026-0686 | HIGH | 7.2 | 2026-04-02 | The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 in the 'MF2::parse_authorpage' function via the 'Recei… |
| CVE-2026-6227 | HIGH | 7.2 | 2026-04-14 | The BackWPup plugin for WordPress is vulnerable to Local File Inclusion via the `block_name` parameter of the `/wp-json/backwpup/v1/getblock` REST endpoint in all versions up to, … |
| CVE-2024-12633 | HIGH | 7.1 | 2025-01-07 | The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘page parameter in all versions up … |
| CVE-2022-1608 | MEDIUM | 6.5 | 2022-06-13 | The OnePress Social Locker WordPress plugin through 5.6.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin chang… |
| CVE-2022-3762 | MEDIUM | 6.5 | 2022-11-21 | The Booster for WooCommerce WordPress plugin before 5.6.7, Booster Plus for WooCommerce WordPress plugin before 5.6.5, Booster Elite for WooCommerce WordPress plugin before 1.1.7 … |
| CVE-2022-4016 | MEDIUM | 6.5 | 2022-12-12 | The Booster for WooCommerce WordPress plugin before 5.6.7, Booster Plus for WooCommerce WordPress plugin before 5.6.6, Booster Elite for WooCommerce WordPress plugin before 1.1.8 … |
| CVE-2025-15260 | MEDIUM | 6.5 | 2026-02-04 | The MyRewards – Loyalty Points and Rewards for WooCommerce plugin for WordPress is vulnerable to missing authorization in all versions up to, and including, 5.6.1. This is due to … |
| CVE-2023-4372 | MEDIUM | 6.4 | 2024-01-11 | The LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'esi' shortcode in versions up to, and including, 5.6 due to insufficient input sanit… |
| CVE-2024-1426 | MEDIUM | 6.4 | 2024-04-18 | The Element Pack Elementor Addons (Header Footer, Free Template Library, Grid, Carousel, Table, Parallax Animation, Register Form, Twitter Grid) plugin for WordPress is vulnerable… |
| CVE-2024-1429 | MEDIUM | 6.4 | 2024-04-18 | The Element Pack Elementor Addons (Header Footer, Free Template Library, Grid, Carousel, Table, Parallax Animation, Register Form, Twitter Grid) plugin for WordPress is vulnerable… |
| CVE-2024-2345 | MEDIUM | 6.4 | 2024-05-02 | The FileBird – WordPress Media Library Folders & File Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the folder name parameter in all versions up to… |
| CVE-2024-3926 | MEDIUM | 6.4 | 2024-05-22 | The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via t… |
| CVE-2024-3925 | MEDIUM | 6.4 | 2024-06-12 | The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via t… |
| CVE-2024-4983 | MEDIUM | 6.4 | 2024-06-27 | The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘vi… |
| CVE-2024-4482 | MEDIUM | 6.4 | 2024-07-03 | The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Co… |
| CVE-2024-5554 | MEDIUM | 6.4 | 2024-07-18 | The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via t… |
| CVE-2024-5555 | MEDIUM | 6.4 | 2024-07-18 | The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via t… |
| CVE-2024-5763 | MEDIUM | 6.4 | 2024-08-20 | The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the vid… |
| CVE-2024-6575 | MEDIUM | 6.4 | 2024-08-20 | The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘re… |
| CVE-2024-5583 | MEDIUM | 6.4 | 2024-08-22 | The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the car… |
| CVE-2026-0688 | MEDIUM | 6.4 | 2026-04-02 | The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 via the 'Tools::read' function. This makes it possible… |
| CVE-2026-3694 | MEDIUM | 6.4 | 2026-05-14 | The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' attribute of the bt_bb_button shortcode in all versions up to, and including… |
| CVE-2015-9297 | MEDIUM | 6.1 | 2019-08-13 | The events-manager plugin before 5.6 for WordPress has XSS. |
| CVE-2022-4227 | MEDIUM | 6.1 | 2022-12-26 | The Booster for WooCommerce WordPress plugin before 5.6.3, Booster Plus for WooCommerce WordPress plugin before 6.0.0, Booster Elite for WooCommerce WordPress plugin before 6.0.0 … |
| CVE-2024-11463 | MEDIUM | 6.1 | 2024-11-23 | The DeBounce Email Validator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'from', 'to', and 'key' parameters in all versions up to, and including, … |
| CVE-2025-58674 | MEDIUM | 5.9 | 2025-09-23 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the iss… |
| CVE-2022-41805 | MEDIUM | 5.4 | 2022-11-18 | Cross-Site Request Forgery (CSRF) vulnerability in Booster for WooCommerce plugin <= 5.6.6 on WordPress. |
| CVE-2022-42461 | MEDIUM | 5.4 | 2022-11-18 | Broken Access Control vulnerability in miniOrange's Google Authenticator plugin <= 5.6.1 on WordPress. |
| CVE-2022-41685 | MEDIUM | 5.4 | 2022-11-18 | Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Viszt Péter's Integration for Szamlazz.hu & WooCommerce plugin <= 5.6.3.2 and Csomagpontok és szállítási címkék WooCo… |
| CVE-2022-4466 | MEDIUM | 5.4 | 2023-03-13 | The WordPress Infinite Scroll WordPress plugin before 5.6.0.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the sh… |
| CVE-2024-2346 | MEDIUM | 5.4 | 2024-05-02 | The FileBird – WordPress Media Library Folders & File Manager plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.3 vi… |
| CVE-2026-22358 | MEDIUM | 5.4 | 2026-01-22 | Server-Side Request Forgery (SSRF) vulnerability in SmartDataSoft Electrician - Electrical Service WordPress electrician allows Server Side Request Forgery.This issue affects Elec… |
| CVE-2024-4213 | MEDIUM | 5.3 | 2024-05-14 | The Shopping Cart & eCommerce Store plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.6.4 via the order report functiona… |
| CVE-2024-3927 | MEDIUM | 5.3 | 2024-05-22 | The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Form Submission Admin Email Bypas… |
| CVE-2026-7638 | MEDIUM | 5.3 | 2026-05-02 | The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to and including 5.6.0.… |
| CVE-2024-32111 | MEDIUM | 5.0 | 2024-06-25 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Automattic WordPress allows Relative Path Traversal.This issue affects WordPress: f… |
| CVE-2023-39999 | MEDIUM | 4.3 | 2023-10-13 | Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 thr… |
| CVE-2024-8913 | MEDIUM | 4.3 | 2024-10-11 | The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all v… |
| CVE-2024-10614 | MEDIUM | 4.3 | 2024-11-16 | The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the cancel_import() function in all versions up… |
| CVE-2025-58246 | MEDIUM | 4.3 | 2025-09-23 | Insertion of Sensitive Information Into Sent Data vulnerability in WordPress allows Retrieve Embedded Sensitive Data. The WordPress Core security team is aware of the issue and is… |
| CVE-2026-1906 | MEDIUM | 4.3 | 2026-02-18 | The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.0 via the `wpo_ip… |
| CVE-2026-9719 | MEDIUM | 4.3 | 2026-06-06 | The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.6.0. T… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 5.6 contains 59 vulnerabilities that could compromise your entire website, from unauthorized admin access to arbitrary file uploads. Staying on outdated software is one of the biggest security mistakes website owners make. The good news? Updating WordPress takes just minutes and immediately closes most of these security holes. Don't wait for hackers to exploit these known vulnerabilities on your site.
Use SiteRecipe.com today to scan your WordPress installation and identify every vulnerability in your software, plugins, and themes. Our free security scanner shows you exactly what's outdated and dangerous, and guides you through fixes step-by-step. Protecting your website has never been easier—start your free vulnerability scan now and secure your site in minutes, not hours.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.