    Home /
    Blog /
    wordpress 7.1.2
  

Security Advisory

WordPress 7.1.2: 5 Medium CVEs & How to Fix Them

    📅 June 08, 2026
    ·⏱ 5 min read
    ·🔒 SiteRecipe Security Team
  

⚠ 1,021 websites still running wordpress 7.1.2 → View full list

Total

Medium

WordPress 7.1.2 is currently affected by five medium-severity vulnerabilities that could put your website at risk. These security flaws primarily involve Cross-Site Scripting (XSS) attacks through popular plugins like Booster for WooCommerce, WP Shortcodes, and LayerSlider. With over 1,000 websites running this version, understanding these vulnerabilities and taking action is critical for protecting your site and user data.

XSS vulnerabilities are particularly dangerous because they allow attackers to inject malicious code into your website, potentially compromising user accounts, stealing sensitive information, or defacing your site. The good news is that these vulnerabilities are fixable with proper updates and security measures. In this guide, we'll walk you through identifying which vulnerabilities affect your site and implementing the necessary fixes.

What is Wordpress 7.1.2?

WordPress 7.1.2 is a content management system (CMS) version that powers millions of websites worldwide. It's a free, open-source platform that makes it easy for anyone to create, manage, and publish content online without requiring extensive coding knowledge. WordPress is incredibly popular because it's flexible, user-friendly, and supported by a large community of developers who create themes and plugins to extend its functionality.

Like all software, WordPress and its plugins regularly receive security updates to fix vulnerabilities discovered by researchers. Version 7.1.2 currently has five medium-severity security issues, mostly related to plugins that add shortcode functionality to WordPress. These aren't flaws in WordPress itself, but rather in third-party plugins that extend WordPress's capabilities. When plugins don't properly validate and clean user input, attackers can exploit these weaknesses to inject harmful code.

Key Vulnerabilities in Wordpress 7.1.2

5 CVEs found. The most critical are explained below.

MEDIUM CVE-2023-5638 6.4/10 · CVSS v3.1 ⏱ Within 7 days

Booster for WooCommerce - Malicious Code Injection Vulnerability

The Booster for WooCommerce plugin doesn't properly filter user input in image shortcodes, allowing attackers to hide malicious code. When someone with admin access uses this feature, harmful scripts can be injected into your website without obvious warning signs.

Impact: An attacker could steal sensitive information from your website visitors, hijack their sessions, or redirect them to malicious sites. This compromises customer trust and data security.

↗ View on NVD

MEDIUM CVE-2024-3550 6.4/10 · CVSS v3.1 ⏱ Within 7 days

Shortcodes Ultimate Plugin - Hidden Code Injection Flaw

The Shortcodes Ultimate plugin fails to properly sanitize shortcode attributes, allowing malicious code to be stored in your website's database. Admin users can unknowingly insert harmful scripts through the plugin's interface.

Impact: Visitors to your site could be exposed to malware, phishing attacks, or credential theft. The malicious code persists in your database and affects all users who view affected pages.

↗ View on NVD

MEDIUM CVE-2024-8505 6.4/10 · CVSS v3.1 ⏱ Within 7 days

Infinite Scroll Plugin - Unfiltered Button Text Vulnerability

The Infinite Scroll – Ajax Load More plugin doesn't properly filter the button label field, allowing attackers to embed harmful code. Administrators can inadvertently save malicious scripts that execute whenever that button appears on your site.

Impact: Your website visitors could experience unexpected redirects, malware downloads, or data theft through infected buttons and interface elements.

↗ View on NVD

MEDIUM CVE-2024-3548 6.1/10 · CVSS v3.1 ⏱ Immediate

Shortcodes Ultimate Plugin - Admin-Targeted Code Injection

The Shortcodes Ultimate plugin has a flaw where attackers can craft special links that inject malicious code when an admin clicks them. The code executes in the admin's browser with full administrative privileges.

Impact: An attacker could perform any action as your admin account, including stealing sensitive data, modifying content, or creating backdoor accounts for future access.

↗ View on NVD

MEDIUM CVE-2022-1153 4.8/10 · CVSS v3.1 ⏱ Within 30 days

LayerSlider Plugin - Admin Interface Code Injection Flaw

The LayerSlider plugin doesn't properly filter project names before displaying them in the admin area, allowing malicious code to be embedded. Admin users could accidentally trigger harmful scripts while managing their sliders.

Impact: Attackers could compromise your admin account, steal administrative credentials, or modify website content and settings without authorization.

↗ View on NVD

Is your website running Wordpress 7.1.2?

Scan your site in 30 seconds. Used by 500+ web agencies.

Scan my website — free 📋 See all 1,021 affected sites

How to Check If Your Website Is Affected

1 Log in to your WordPress admin dashboard and navigate to 'Dashboard' → 'Updates' to check your current version number
2 Go to 'Plugins' in the left sidebar and review which plugins you have installed, especially Booster for WooCommerce, WP Shortcodes, Shortcodes Ultimate, Ajax Load More, and LayerSlider
3 Check each plugin's version number against the vulnerable versions listed: if they're at or below 7.1.2, your site is at risk

How to Fix These Vulnerabilities

1 Back up your entire website first by using your hosting provider's backup tool or a WordPress backup plugin like UpdraftPlus
2 Navigate to 'Plugins' → 'Updates' in your WordPress dashboard and update all installed plugins to their latest versions
3 Update WordPress core to the latest stable version by going to 'Dashboard' → 'Updates' and clicking 'Update Now'
4 After updates are complete, test your website's functionality to ensure all plugins and features work correctly, then monitor your site for any unusual activity

Conclusion

WordPress 7.1.2 users face real security risks from five medium-severity vulnerabilities, but these threats are manageable with timely updates and proper security practices. By following the steps in this guide, you can patch your vulnerabilities, protect your users, and maintain a secure online presence. Don't wait—these vulnerabilities are already known to attackers, making prompt action essential.

Keep your WordPress site secure and monitored with SiteRecipe.com. Our platform continuously scans your website for vulnerabilities, outdated plugins, and security issues, alerting you immediately when problems arise. With SiteRecipe.com, you'll get detailed reports, fix recommendations, and peace of mind knowing your site is protected. Visit SiteRecipe.com today to start your free security scan and take control of your website's safety.

Frequently Asked Questions

What is a Cross-Site Scripting (XSS) vulnerability?

XSS is a security flaw that allows attackers to inject malicious scripts into web pages. When users visit the affected page, the script runs in their browsers, potentially stealing cookies, login credentials, or sensitive information. Stored XSS is particularly dangerous because the malicious code is permanently saved in your database.

Are all WordPress 7.1.2 users affected by these CVEs?

No, these specific vulnerabilities only affect users who have installed the vulnerable plugins mentioned: Booster for WooCommerce, WP Shortcodes, Shortcodes Ultimate, Ajax Load More, or LayerSlider. If you don't use these plugins, you may not be affected, but it's still important to update WordPress and all plugins regularly.

How often should I update WordPress and my plugins?

You should enable automatic updates for WordPress core and all plugins whenever possible, or manually check for updates at least weekly. Security updates should be applied immediately as soon as they're available, as vulnerabilities become more dangerous over time as more attackers learn about them.

Will updating my plugins break my website?

While updates can occasionally cause compatibility issues, the security risks of staying vulnerable far outweigh this possibility. Always back up your site before updating, test updates on a staging environment if possible, and monitor your site after updates to catch any issues immediately.

Generate white-label reports for your clients

Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.

Free scan Agency plans 📋 1,021 affected sites

DISCLAIMER: This report is based on publicly available CVE data from the National Vulnerability Database (NVD) maintained by NIST. Detection of a technology version does not confirm active exploitation on any specific website. For informational purposes only. SiteRecipe is not responsible for actions taken based on this report. Always consult a qualified security professional.

Source: nvd.nist.gov · Published: June 08, 2026 · SiteRecipe.com