WordPress 7.0 is currently running on over 1,000 websites, but security researchers have discovered a critical security crisis affecting this version. A total of 43 vulnerabilities have been identified, including 6 critical-severity flaws that could allow attackers to take complete control of your website. These aren't theoretical threats—they're actively exploited vulnerabilities that put your data, visitors, and business at immediate risk.
The vulnerabilities span across popular WordPress plugins including wpDiscuz, Quiz and Survey Master, WP User, Site Reviews, and Events Calendar Pro. Many of these flaws allow unauthenticated attackers to execute malicious code, delete critical files, bypass security controls, and manipulate your site without any authorization. If your website is running WordPress 7.0, you need to take action immediately to protect yourself.
WordPress 7.0 is a content management system that powers millions of websites worldwide. It's used by bloggers, small businesses, e-commerce stores, and large enterprises to create, manage, and publish web content without requiring advanced coding knowledge. WordPress allows users to build websites through themes, plugins, and a user-friendly dashboard interface.
Like all software, WordPress relies on plugins and extensions to add functionality to core features. While these plugins provide valuable tools—from contact forms to event management to user registration—they can also introduce security vulnerabilities if not properly maintained or coded. WordPress 7.0 specifically has multiple plugin-related vulnerabilities that create serious security gaps for website owners.
43 CVEs found. The most critical are explained below.
The wpDiscuz plugin (versions 7.0-7.0.4) has a security hole that lets anyone upload files to your website without logging in. Attackers can upload dangerous files like PHP scripts that give them complete control of your site.
Impact: A hacker could take over your entire WordPress site, steal customer data, install malware, or use your site to attack others.
↗ View on NVDThe Quiz and Survey Master plugin (before 7.0.1) allows anyone to upload files through quiz questions without proper security checks. Hackers can upload malicious code that runs on your server.
Impact: An attacker gains full control of your website, can steal all your data, modify pages, or shut down your site completely.
↗ View on NVDThe same Quiz and Survey Master plugin also lets attackers delete critical files from your website, including the main WordPress configuration file. This can completely disable your site.
Impact: Your website goes offline and becomes inaccessible. An attacker could then reinstall WordPress under their control, gaining permanent access to your site.
↗ View on NVDThe WP User plugin (through version 7.0) doesn't properly protect database queries, allowing hackers to inject malicious code. Anyone can exploit this without needing a login.
Impact: Attackers can access, modify, or delete your database containing customer information, posts, and sensitive business data.
↗ View on NVDThe Site Reviews plugin (before 7.0.0) incorrectly identifies visitor IP addresses, making it easy for attackers to trick security systems. If you use IP-based blocking to protect your site, this bypasses it.
Impact: Attackers can circumvent your IP-based security filters and gain unauthorized access to restricted areas of your site.
↗ View on NVDThe Events Calendar Pro plugin (through 7.0.2) has a flaw in how it processes widget data. An admin account with elevated permissions could be tricked into executing malicious code.
Impact: Someone with administrative access could be manipulated into running code that compromises your site or gives an attacker elevated control.
↗ View on NVDShowing first 10 of 37. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2023-1273 | HIGH | 8.8 | 2023-07-04 | The ND Shortcodes WordPress plugin before 7.0 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authentica… |
| CVE-2024-0786 | HIGH | 8.8 | 2024-02-28 | The Conversios – Google Analytics 4 (GA4), Meta Pixel & more Via Google Tag Manager For WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the ee_syncP… |
| CVE-2024-1203 | HIGH | 8.8 | 2024-03-13 | The Conversios – Google Analytics 4 (GA4), Meta Pixel & more Via Google Tag Manager For WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'valueData' paramet… |
| CVE-2025-11923 | HIGH | 8.8 | 2025-11-13 | The LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes plugin for WordPress is vulnerable to privilege escalation. This is due to the plugin not properly validating a use… |
| CVE-2026-1750 | HIGH | 8.8 | 2026-02-15 | The Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.0.7. This is due to a missing ca… |
| CVE-2026-6692 | HIGH | 8.8 | 2026-05-07 | The Slider Revolution plugin for WordPress is vulnerable to Arbitrary File Upload in versions 7.0.0 to 7.0.10 via the '_get_media_url' and '_check_file_path' function. This is due… |
| CVE-2026-7654 | HIGH | 8.8 | 2026-06-05 | The Admin Columns plugin for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution in versions up to and including 7.0.18. This is due to the use of `un… |
| CVE-2024-13440 | HIGH | 8.2 | 2025-02-09 | The Super Store Finder plugin for WordPress is vulnerable to SQL Injection via the ‘ssf_wp_user_name’ parameter in all versions up to, and including, 7.0 due to insufficient escap… |
| CVE-2014-2316 | HIGH | 7.5 | 2014-03-09 | SQL injection vulnerability in se_search_default in the Search Everything plugin before 7.0.3 for WordPress allows remote attackers to execute arbitrary SQL commands via the s par… |
| CVE-2021-24981 | HIGH | 7.5 | 2021-12-21 | The Directorist WordPress plugin before 7.0.6.2 was vulnerable to Cross-Site Request Forgery to Remote File Upload leading to arbitrary PHP shell uploads in the wp-content/plugins… |
| CVE-2023-7046 | HIGH | 7.5 | 2024-04-09 | The WP Encryption – One Click Free SSL Certificate & SSL / HTTPS Redirect to Force HTTPS, SSL Score plugin for WordPress is vulnerable to Sensitive Information Exposure in all ver… |
| CVE-2025-6970 | HIGH | 7.5 | 2025-07-09 | The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and i… |
| CVE-2026-5050 | HIGH | 7.5 | 2026-04-16 | The Payment Gateway for Redsys & WooCommerce Lite plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 7.0.0 du… |
| CVE-2018-12636 | HIGH | 7.2 | 2018-06-22 | The iThemes Security (better-wp-security) plugin before 7.0.3 for WordPress allows SQL Injection (by attackers with Admin privileges) via the logs page. |
| CVE-2026-2269 | HIGH | 7.2 | 2026-03-03 | The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, a… |
| CVE-2013-3479 | MEDIUM | 6.8 | 2013-09-05 | Cross-site request forgery (CSRF) vulnerability in the ShareThis plugin before 7.0.6 for WordPress allows remote attackers to hijack the authentication of administrators for reque… |
| CVE-2024-1510 | MEDIUM | 6.4 | 2024-02-20 | The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's su_tooltip shortcode in all versions up to, and i… |
| CVE-2024-1808 | MEDIUM | 6.4 | 2024-02-28 | The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'su_qrcode' shortcode in all versions up to, and … |
| CVE-2024-0792 | MEDIUM | 6.4 | 2024-02-29 | The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including… |
| CVE-2025-6976 | MEDIUM | 6.4 | 2025-07-09 | The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, a… |
| CVE-2021-25034 | MEDIUM | 6.1 | 2022-02-28 | The WP User WordPress plugin before 7.0 does not sanitise and escape some parameters in pages where the [wp_user] shortcode is used, leading to Reflected Cross-Site Scripting issu… |
| CVE-2022-4295 | MEDIUM | 6.1 | 2023-01-16 | The Show All Comments WordPress plugin before 7.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting whi… |
| CVE-2024-9213 | MEDIUM | 6.1 | 2024-10-17 | The افزونه پیامک ووکامرس Persian WooCommerce SMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escapi… |
| CVE-2024-11447 | MEDIUM | 6.1 | 2024-11-21 | The Community by PeepSo – Download from PeepSo.com plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘filter’ parameter in all versions up to, and inclu… |
| CVE-2024-10046 | MEDIUM | 6.1 | 2024-12-07 | The افزونه پیامک ووکامرس Persian WooCommerce SMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escapi… |
| CVE-2025-6975 | MEDIUM | 6.1 | 2025-07-09 | The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘calendar_header’ parameter in all version… |
| CVE-2022-4519 | MEDIUM | 5.5 | 2022-12-15 | The WP User plugin for WordPress is vulnerable to Stored Cross-Site Scripting via its settings parameters in versions up to, and including, 7.0 due to insufficient input sanitizat… |
| CVE-2021-24822 | MEDIUM | 5.4 | 2021-11-29 | The Stylish Cost Calculator WordPress plugin before 7.0.4 does not have any authorisation and CSRF checks on some of its AJAX actions (available to authenticated users), which cou… |
| CVE-2022-4623 | MEDIUM | 5.4 | 2023-07-04 | The ND Shortcodes WordPress plugin before 7.0 does not validate and escape numerous of its shortcode attributes before outputting them back in a page/post where the shortcode is e… |
| CVE-2023-6488 | MEDIUM | 5.4 | 2023-12-19 | The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'su_button', 'su_members', and 'su_tabs' shortcod… |
| CVE-2024-2583 | MEDIUM | 5.4 | 2024-04-13 | The WP Shortcodes Plugin — Shortcodes Ultimate WordPress plugin before 7.0.5 does not properly escape some of its shortcodes attributes before they are echoed back to users, makin… |
| CVE-2025-12521 | MEDIUM | 5.3 | 2025-10-31 | The Analytify Pro plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.0.3 via the Analytify Tag HTML details. This makes i… |
| CVE-2026-6728 | MEDIUM | 5.3 | 2026-05-20 | The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.0.9 via the 'get_stream_data()' function. This makes… |
| CVE-2024-1790 | MEDIUM | 4.9 | 2024-04-09 | The WordPress Infinite Scroll – Ajax Load More plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 7.0.1 via the 'type' parameter. This make… |
| CVE-2021-24944 | MEDIUM | 4.8 | 2022-02-01 | The Custom Dashboard & Login Page WordPress plugin before 7.0 does not sanitise some of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even wh… |
| CVE-2026-9048 | MEDIUM | 4.3 | 2026-06-02 | The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Exposure in versions 7.0.0 - 7.0.14, via the 'slider.get.full' AJAX Action. This makes it possibl… |
| CVE-2026-9050 | MEDIUM | 4.3 | 2026-06-02 | The Slider Revolution plugin for WordPress in versions 6.0.0-6.7.55 and 7.0.0-7.0.14 is vulnerable to unauthorized modification of data. This is due to the plugin not properly ver… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 7.0 users face an urgent security situation with 6 critical vulnerabilities that could lead to complete site compromise. The combination of remote code execution, arbitrary file uploads, SQL injection, and object injection vulnerabilities creates multiple pathways for attackers to infiltrate your website. Delaying updates isn't an option—these are actively exploited vulnerabilities that criminals use to steal data, inject malware, and hijack websites for their own purposes.
Don't leave your website vulnerable to these threats. Use SiteRecipe.com's comprehensive security scanner to identify which vulnerabilities affect your site, verify that all updates are applied, and confirm that no previous compromises have occurred. Our tool checks for all 43 known vulnerabilities in WordPress 7.0 and provides detailed remediation guidance specific to your setup. Take control of your security today—scan your site with SiteRecipe.com for free and protect your business from exploitation.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.