    Home /
    Blog /
    wordpress 7.1.1
  

Security Advisory

WordPress 7.1.1 Security Issues: 9 CVEs Explained

    📅 June 08, 2026
    ·⏱ 5 min read
    ·🔒 SiteRecipe Security Team
  

⚠ 1,021 websites still running wordpress 7.1.1 → View full list

Total

High

Medium

WordPress 7.1.1 contains 9 known security vulnerabilities, including 4 high-severity issues that put thousands of websites at immediate risk. These vulnerabilities range from SQL injection attacks to local file inclusion exploits, potentially allowing attackers to steal data, modify content, or take complete control of your site.

If you're running WordPress 7.1.1, you're not alone—over 1,021 websites still use this vulnerable version. However, staying on this version leaves your site exposed to serious security breaches. Understanding these vulnerabilities and taking immediate action is essential to protecting your business, customer data, and reputation.

In this guide, we'll break down the most critical CVEs affecting WordPress 7.1.1, show you how to identify if your site is vulnerable, and provide step-by-step instructions to secure your WordPress installation.

What is Wordpress 7.1.1?

WordPress 7.1.1 is a specific version of WordPress, the world's most popular website-building platform used by millions of sites. If you're unsure which version you're running, it's the number you see in your WordPress dashboard's bottom right corner or in your site's backend settings. Version numbers matter because WordPress releases security patches regularly, and older versions like 7.1.1 contain known security flaws that hackers actively exploit.

Think of WordPress versions like software updates on your phone—each new version patches security holes and adds features. Staying on an outdated version is like leaving your front door unlocked. Attackers know about these vulnerabilities and target sites running older versions because they're easier to compromise. The sooner you update to a newer, patched version, the sooner you eliminate these known attack vectors.

Key Vulnerabilities in Wordpress 7.1.1

9 CVEs found. The most critical are explained below.

HIGH CVE-2021-24221 8.8/10 · CVSS v3.1 ⏱ Immediate

Quiz and Survey Master Plugin - Database Attack Vulnerability

A flaw in the Quiz and Survey Master plugin (versions before 7.1.12) allows attackers to manipulate quiz result pages. Hackers can inject malicious code into the quiz results, which gets executed against your website's database.

Impact: Attackers could steal sensitive data from your database, modify quiz results, or take control of your website's information.

↗ View on NVD

HIGH CVE-2024-3807 8.8/10 · CVSS v3.1 ⏱ Immediate

Porto Theme - Unauthorized File Access Vulnerability

The Porto theme (versions up to 7.1.0) has a security flaw that allows users with contributor access or higher to view files they shouldn't be able to access. An attacker with limited account permissions can read sensitive website files.

Impact: Hackers could expose your website's configuration files, database credentials, or other private information stored on your server.

↗ View on NVD

HIGH CVE-2024-12594 8.8/10 · CVSS v3.1 ⏱ Immediate

Custom Login Page Styler Plugin - Account Permission Bypass

The Custom Login Page Styler plugin has a flaw that allows attackers with low-level accounts to gain higher-level permissions they shouldn't have. Someone with basic access could elevate themselves to administrator level.

Impact: An attacker could gain full control of your website, modify content, install malware, or lock you out of your own site.

↗ View on NVD

HIGH CVE-2023-45074 8.5/10 · CVSS v3.1 ⏱ Immediate

Advanced Page Visit Counter Plugin - Database Attack Vulnerability

The Advanced Page Visit Counter plugin is vulnerable to database attacks similar to the Quiz plugin issue. Attackers can inject malicious commands into the plugin's analytics tracking system.

Impact: Hackers could steal visitor data, modify statistics, or compromise your entire database.

↗ View on NVD

MEDIUM CVE-2024-4711 6.4/10 · CVSS v3.1 ⏱ Within 7 days

Infinite Scroll Plugin - Malicious Content Injection Flaw

The WordPress Infinite Scroll plugin (versions up to 7.1.1) doesn't properly filter content added through its shortcode feature. An attacker with editing privileges can inject harmful scripts that affect other users.

Impact: Malicious scripts could steal visitor information, redirect users to dangerous sites, or compromise user accounts.

↗ View on NVD

MEDIUM CVE-2021-24368 6.1/10 · CVSS v3.1 ⏱ Within 7 days

Quiz and Survey Master Plugin - Malicious Script Injection

The Quiz and Survey Master plugin (versions before 7.1.18) doesn't properly filter quiz result pages. An attacker can insert malicious scripts that execute when visitors view their quiz results.

Impact: Attackers could steal user credentials, redirect visitors to phishing sites, or compromise user accounts through malicious scripts.

↗ View on NVD

Additional Vulnerabilities (3 more)

Showing first 10 of 3. View all on NVD ↗

CVE ID	Severity	Score	Published	Description
CVE-2024-10472	MEDIUM	5.9	2025-03-25	The Stylish Price List WordPress plugin before 7.1.12 does not sanitise and escape some of its settings, which could allow high privilege users such as contributor to perform Sto…
CVE-2022-41634	MEDIUM	5.4	2022-11-18	Cross-Site Request Forgery (CSRF) vulnerability in Media Library Folders plugin <= 7.1.1 on WordPress.
CVE-2024-13530	MEDIUM	4.3	2025-01-31	The Custom Login Page Styler – Limit Login Attempts – Restrict Content With Login – Redirect After Login – Change Login URL – Sign in , Sign out plugin for WordPress is vulnerable…

          Full Report Available
        

All 9 CVEs with AI explanations + fix guide

Plain English · Fix recommendations · Instant PDF & HTML download

⬇ Get Full Report

          PDF + HTML · Instant download
        

Is your website running Wordpress 7.1.1?

Scan your site in 30 seconds. Used by 500+ web agencies.

Scan my website — free 📋 See all 1,021 affected sites

How to Check If Your Website Is Affected

1 Log into your WordPress dashboard and look at the bottom right corner of the screen, where it displays your WordPress version number
2 Alternatively, go to Dashboard > Updates to see your current version and check if updates are available
3 If you see version 7.1.1 or any version below 7.1.2, your site is vulnerable to at least one of the 9 CVEs we've identified

How to Fix These Vulnerabilities

1 Before updating, create a complete backup of your WordPress site using your hosting provider's backup tool or a plugin like UpdraftPlus or Duplicator
2 Navigate to Dashboard > Updates and click 'Update Now' to upgrade to the latest stable WordPress version (this will patch all known vulnerabilities)
3 After WordPress updates, check your plugins for updates—vulnerable plugins like Quiz and Survey Master, Porto theme, and Custom Login Page Styler need updating to versions that patch their specific CVEs
4 Run a security scan using a tool like Wordfence or SiteRecipe.com to verify all vulnerabilities are resolved and check for any signs of previous compromise

Conclusion

WordPress 7.1.1 poses significant security risks with 4 high-severity vulnerabilities that could lead to data theft, site compromise, or complete takeover. The good news is that updating takes just minutes and instantly eliminates these known attack vectors. Don't wait for attackers to exploit your site—take action today to secure your WordPress installation.

SiteRecipe.com makes WordPress security simple. Our platform automatically scans your WordPress site for all known vulnerabilities, alerts you to critical threats, and provides step-by-step remediation guidance. Visit SiteRecipe.com today for a free security scan and discover exactly what vulnerabilities affect your site. Your WordPress security is too important to leave to chance.

Frequently Asked Questions

How serious are these vulnerabilities in WordPress 7.1.1?

Very serious. Four vulnerabilities are classified as HIGH severity, meaning attackers can exploit them to execute SQL injection attacks, steal files, or inject malicious code. SQL injection vulnerabilities are particularly dangerous because they allow attackers to directly access and manipulate your database. These aren't theoretical risks—hackers actively scan for and exploit these specific vulnerabilities.

Will updating WordPress delete my content or break my site?

No, WordPress updates preserve all your content, pages, posts, and settings. However, it's always wise to create a backup first, just in case. Most sites update without any issues, but a backup ensures you can restore your site if something unexpected happens. After updating, test your site briefly to confirm everything works as expected.

Why are 1,021 websites still running vulnerable WordPress 7.1.1?

Some website owners don't realize their site is outdated, others fear that updating will break plugins or themes, and some simply forget to maintain their sites. Many managed hosting providers can enable automatic updates, removing this burden entirely. Neglecting updates is one of the most common reasons websites get hacked, making it critical to establish a regular maintenance routine.

Can I update WordPress manually if automatic updates fail?

Yes, you can manually update by downloading the latest WordPress version from WordPress.org, uploading it via FTP, and running the update script. However, most hosting providers offer easier one-click update options in their control panels. If you're uncomfortable updating manually, contact your hosting provider's support team—they can often handle it for you.

How do I know if my site was already hacked before I update?

Security scanning tools like SiteRecipe.com can detect signs of previous compromise, including unauthorized files, malware, and malicious database entries. Running a scan after updating is highly recommended to catch any backdoors or malware that attackers may have installed. If your site was compromised, you'll want to clean it thoroughly to prevent re-infection.

Generate white-label reports for your clients

Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.

Free scan Agency plans 📋 1,021 affected sites

DISCLAIMER: This report is based on publicly available CVE data from the National Vulnerability Database (NVD) maintained by NIST. Detection of a technology version does not confirm active exploitation on any specific website. For informational purposes only. SiteRecipe is not responsible for actions taken based on this report. Always consult a qualified security professional.

Source: nvd.nist.gov · Published: June 08, 2026 · SiteRecipe.com