WordPress 6.9 has been flagged with 28 security vulnerabilities—including 5 critical flaws that could give attackers complete control of your website. Over 1,021 websites are currently running this vulnerable version, making them prime targets for hackers. In this guide, we'll show you exactly what these vulnerabilities are, how to check if your site is affected, and the steps to secure your WordPress installation immediately.
The most dangerous CVEs affect file uploads, SQL injection, and account takeover capabilities. Without urgent patching, attackers could execute malicious code on your server, steal customer data, or hijack administrator accounts. If you're running WordPress 6.9, this is not a guide you can afford to skip.
WordPress 6.9 is a version of the world's most popular website platform, used by millions of websites globally. Like all software, WordPress regularly receives updates that add new features and fix security problems. Version 6.9 was released to improve functionality, but security researchers discovered serious flaws that weren't properly addressed before release.
These vulnerabilities primarily exist in plugins (add-ons that extend WordPress functionality) rather than WordPress core itself. Plugins like File Manager, WPCargo, and Block Bad Bots contain code that doesn't properly validate user input, leaving doors wide open for attackers. Even though WordPress 6.9 is not the latest version, thousands of site owners haven't updated, leaving themselves dangerously exposed.
28 CVEs found. The most critical are explained below.
The File Manager plugin has a security flaw that lets attackers upload and run dangerous code on your website. This happens because the plugin doesn't properly protect a file that should never be executable. Hackers can exploit this to take complete control of your site.
Impact: An attacker could gain full control of your website, steal customer data, install malware, or use your site to attack other websites.
↗ View on NVDThe WPCargo Track & Trace plugin contains a vulnerability that lets anyone create malicious PHP files on your server without needing to log in. Once uploaded, these files can be executed to run harmful commands on your website.
Impact: Attackers could completely compromise your website, access sensitive customer information, modify site content, or use your server for illegal activities.
↗ View on NVDThe Block Bad Bots plugin doesn't properly validate user input, which allows attackers to inject harmful SQL commands into your database. Visitors don't even need to be logged in to exploit this weakness.
Impact: Hackers could read, modify, or delete your database contents, including customer information, posts, and user accounts.
↗ View on NVDThe WP Visitor Statistics plugin doesn't properly filter user input before using it in database queries. This allows anyone visiting your site to inject malicious SQL commands without logging in.
Impact: Attackers could extract sensitive data from your database, modify website content, or cause your website to malfunction completely.
↗ View on NVDThe WP JobHunt plugin doesn't properly verify user identity when someone tries to change a password. This means an attacker can reset any user's password, including admin accounts, without providing the correct credentials.
Impact: Attackers could take over user accounts, particularly admin accounts, and gain full control of your website and all associated data.
↗ View on NVDThe Blog2Social plugin doesn't properly protect user input in database queries. While this requires a logged-in user to exploit, even low-level users like subscribers can use this to inject malicious SQL commands.
Impact: Logged-in users could extract sensitive data from your database or modify content without proper authorization.
↗ View on NVDShowing first 10 of 22. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2024-10729 | HIGH | 8.8 | 2024-11-26 | The Booking & Appointment Plugin for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_google_cale… |
| CVE-2024-12035 | HIGH | 8.8 | 2025-03-07 | The CS Framework plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the cs_widget_file_delete() function in all versions up … |
| CVE-2025-66428 | HIGH | 8.8 | 2026-01-22 | An issue with WordPress directory names in WebPros WordPress Toolkit before 6.9.1 allows privilege escalation. |
| CVE-2024-32692 | HIGH | 8.2 | 2024-05-17 | Missing Authorization vulnerability in QuanticaLabs Chauffeur Taxi Booking System for WordPress allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects … |
| CVE-2024-13777 | HIGH | 8.1 | 2025-03-05 | The ZoomSounds - WordPress Wave Audio Player with Playlist plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.91 via deserializatio… |
| CVE-2024-13776 | HIGH | 8.1 | 2025-04-05 | The ZoomSounds - WordPress Wave Audio Player with Playlist plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a mi… |
| CVE-2018-7433 | HIGH | 7.5 | 2018-03-02 | The iThemes Security plugin before 6.9.1 for WordPress does not properly perform data escaping for the logs page. |
| CVE-2024-12036 | HIGH | 7.5 | 2025-03-07 | The CS Framework plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 6.9 via the get_widget_settings_json() function. This makes it pos… |
| CVE-2025-3431 | HIGH | 7.5 | 2025-04-08 | The ZoomSounds - WordPress Wave Audio Player with Playlist plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 6.91 via the 'dzsap_down… |
| CVE-2021-24770 | MEDIUM | 6.5 | 2021-11-01 | The Stylish Price List WordPress plugin before 6.9.1 does not perform capability checks in its spl_upload_ser_img AJAX action (available to authenticated users), which could allow… |
| CVE-2022-3247 | MEDIUM | 6.5 | 2022-10-25 | The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin before 6.9.10 does not have authorisation in an AJAX action, and does not ensure that the URL to make a reques… |
| CVE-2024-2783 | MEDIUM | 6.4 | 2024-04-09 | The GamiPress – The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the pl… |
| CVE-2024-12118 | MEDIUM | 6.4 | 2025-01-23 | The The Events Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Event Calendar Link Widget through the html_tag attribute in all versions up to, … |
| CVE-2025-0839 | MEDIUM | 6.4 | 2025-04-05 | The ZoomSounds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 6.91 due to insufficient input sanitization and o… |
| CVE-2022-1436 | MEDIUM | 6.1 | 2022-05-16 | The WPCargo Track & Trace WordPress plugin before 6.9.5 does not sanitise and escape the wpcargo_tracking_number parameter before outputting it back in the page, which could allow… |
| CVE-2023-5054 | MEDIUM | 5.8 | 2023-09-19 | The Super Store Finder plugin for WordPress is vulnerable to unauthenticated arbitrary email creation and relay in versions up to, and including, 6.9.3. This is due to insufficien… |
| CVE-2015-20019 | MEDIUM | 5.4 | 2021-11-01 | The Content text slider on post WordPress plugin before 6.9 does not sanitise and escape the Title and Message/Content settings, which could lead to Cross-Site Scripting issues |
| CVE-2025-4583 | MEDIUM | 5.4 | 2025-05-29 | The Smash Balloon Social Photo Feed – Easy Social Feeds Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-plugin` attribute in all versions up… |
| CVE-2021-24757 | MEDIUM | 5.3 | 2021-11-01 | The Stylish Price List WordPress plugin before 6.9.0 does not perform capability checks in its spl_upload_ser_img AJAX action (available to both unauthenticated and authenticated … |
| CVE-2022-1435 | MEDIUM | 4.8 | 2022-05-16 | The WPCargo Track & Trace WordPress plugin before 6.9.5 does not sanitize and escapes some of its settings, which could allow high privilege users such as admin to perform Cross-S… |
| CVE-2026-3906 | MEDIUM | 4.3 | 2026-03-11 | WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature (block-level collaboration annotations) was introduced in WordPress 6.9 to all… |
| CVE-2022-3622 | MEDIUM | 4.1 | 2023-10-20 | The Blog2Social plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in versions up to, and including, 6.9.11. This makes it possible for a… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 6.9's 28 vulnerabilities—especially the 5 critical CVEs—represent a genuine threat to your website's security. Account takeovers, file uploads, SQL injection attacks, and remote code execution are all possible if you delay patching. The good news is that updating WordPress and your plugins is straightforward and can be completed in minutes.
Don't leave your website vulnerable another day. Use SiteRecipe.com to continuously monitor your WordPress installation, plugins, and themes for new vulnerabilities. Our platform automatically alerts you to security risks and provides step-by-step guidance to fix them, so you can focus on running your business instead of worrying about hackers. Start your free security scan today and get peace of mind knowing your site is protected.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.