WordPress 7.3 is currently affected by 47 documented security vulnerabilities, including 4 critical CVEs that put your website at immediate risk. With over 1,021 websites still running this outdated version, cybercriminals are actively targeting these known weaknesses. SQL injection attacks, authentication bypasses, and privilege escalation exploits are actively being leveraged against unpatched installations.
This comprehensive guide will help you identify if your site is vulnerable, understand the specific threats you're facing, and implement the necessary security patches. Taking immediate action is not optional—it's essential to protect your data, your users, and your business reputation.
We'll walk you through the exact steps to secure your WordPress installation and prevent the exploitation of these dangerous vulnerabilities.
WordPress 7.3 is a version of WordPress, the content management system powering over 43% of all websites on the internet. It allows you to create, manage, and publish content without requiring advanced coding knowledge. Think of it as the foundation of your website—it manages everything from posts and pages to user accounts and plugins that add extra functionality.
Like all software, WordPress receives regular updates that fix security problems discovered by researchers. Version 7.3 was released several years ago, and since then, developers have discovered numerous security flaws in both WordPress itself and the popular plugins used with it. Using an outdated version is like leaving your front door unlocked—attackers actively search for these known weaknesses to break in.
47 CVEs found. The most critical are explained below.
The FV Flowplayer Video Player plugin (before version 7.3.19.727) has a serious flaw that lets hackers directly access and manipulate your website's database. This is like leaving your filing cabinets unlocked with a map to where everything is stored.
Impact: Attackers could steal all your website data, modify customer information, delete content, or inject malicious code into your site.
↗ View on NVDAn older version of the FV Flowplayer plugin (before 7.3.15.727) has a vulnerability specifically targeting email subscription data. Hackers can exploit this to access your email subscriber list.
Impact: Your email subscriber database could be stolen, compromised, or deleted, affecting your ability to communicate with customers.
↗ View on NVDThe Ultimate Membership Pro plugin (versions 7.3 to 8.6) allows anyone to log in as any user, including your admin account, without needing a password. It's like someone can walk into your office and sit at your desk.
Impact: Attackers gain full control of your website, can delete content, steal data, modify settings, or lock you out of your own site.
↗ View on NVDThe ARMember Premium plugin (up to version 7.3.1) stores password reset keys in plain text, making them visible to anyone with database access. This is like writing passwords on a sticky note attached to your monitor.
Impact: Hackers can use exposed password reset keys to take over user accounts, including admin accounts, without your knowledge.
↗ View on NVDThe Paid Videochat Turnkey Site plugin (up to version 7.3.20) doesn't properly restrict what user roles can be assigned during registration. Someone could register as an administrator instead of a regular user.
Impact: Unauthorized users could gain admin privileges, giving them control over your entire website and all its settings.
↗ View on NVDThe Sirv image optimizer plugin (up to version 7.3.20) doesn't properly validate files being uploaded, allowing attackers to upload malicious files or use the feature to crash your site.
Impact: Your site could go down (denial of service), or malicious files could be uploaded and executed on your server.
↗ View on NVDShowing first 10 of 41. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2021-36898 | HIGH | 7.5 | 2022-10-28 | Auth. SQL Injection (SQLi) vulnerability in Quiz And Survey Master plugin <= 7.3.4 on WordPress. |
| CVE-2024-12330 | HIGH | 7.5 | 2025-01-09 | The WP Database Backup – Unlimited Database & Files Backup by Backup for WP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and includi… |
| CVE-2024-13496 | HIGH | 7.5 | 2025-01-22 | The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ pa… |
| CVE-2026-5073 | HIGH | 7.5 | 2026-06-02 | The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the 'arm_directory_paging_action' AJAX action in all versions up to, and incl… |
| CVE-2024-1793 | HIGH | 7.2 | 2024-03-13 | The AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth plugin for WordPress is vulnerable to SQL Injection via the 'post_id… |
| CVE-2025-13145 | HIGH | 7.2 | 2025-11-19 | The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.33.1. This is due to des… |
| CVE-2008-0560 | MEDIUM | 6.8 | 2008-02-04 | PHP remote file inclusion vulnerability in cforms-css.php in Oliver Seidel cforms (contactforms), a Wordpress plugin, allows remote attackers to execute arbitrary PHP code via a U… |
| CVE-2022-41652 | MEDIUM | 6.5 | 2022-11-18 | Bypass vulnerability in Quiz And Survey Master plugin <= 7.3.10 on WordPress. |
| CVE-2024-3934 | MEDIUM | 6.5 | 2024-07-20 | The Mercado Pago payments for WooCommerce plugin for WordPress is vulnerable to Path Traversal in versions 7.3.0 to 7.5.1 via the mercadopagoDownloadLog function. This makes it po… |
| CVE-2026-1317 | MEDIUM | 6.5 | 2026-02-18 | The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 7.37. This is due to insufficient… |
| CVE-2026-5074 | MEDIUM | 6.5 | 2026-06-02 | The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'sSortDir_0' parameter of the `get_private_content_data` AJAX action in all versions up to, and in… |
| CVE-2025-0370 | MEDIUM | 6.4 | 2025-03-04 | The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘src’ parameter in all versions up to, and including, 7.3.… |
| CVE-2025-4666 | MEDIUM | 6.4 | 2025-06-11 | The Zotpress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘nickname’ parameter in all versions up to, and including, 7.3.15 due to insufficient input … |
| CVE-2025-14627 | MEDIUM | 6.4 | 2026-01-01 | The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.35. This is due t… |
| CVE-2020-36833 | MEDIUM | 6.3 | 2024-10-16 | The Indeed Membership Pro plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on various AJAX actions in versions 7.3 - 8.6. This makes it … |
| CVE-2019-14799 | MEDIUM | 6.1 | 2019-08-09 | The FV Flowplayer Video Player plugin before 7.3.14.727 for WordPress allows email subscription XSS. |
| CVE-2019-13463 | MEDIUM | 6.1 | 2020-03-20 | An XSS vulnerability in qcopd-shortcode-generator.php in the Simple Link Directory plugin before 7.3.5 for WordPress allows remote attackers to inject arbitrary web script or HTML… |
| CVE-2021-36863 | MEDIUM | 5.4 | 2022-10-28 | Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in ExpressTech Quiz And Survey Master plugin <= 7.3.4 on WordPress. |
| CVE-2021-36905 | MEDIUM | 5.4 | 2022-11-17 | Multiple Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerabilities in Quiz And Survey Master plugin <= 7.3.4 on WordPress. |
| CVE-2022-40698 | MEDIUM | 5.4 | 2022-11-18 | Auth. (subscriber+) Cross-Site Scripting (XSS) vulnerability in Quiz And Survey Master plugin <= 7.3.10 on WordPress. |
| CVE-2019-14800 | MEDIUM | 5.3 | 2019-08-15 | The FV Flowplayer Video Player plugin before 7.3.15.727 for WordPress allows guests to obtain the email subscription list in CSV format via the wp-admin/admin-post.php?page=fvplay… |
| CVE-2022-2376 | MEDIUM | 5.3 | 2022-09-05 | The Directorist WordPress plugin before 7.3.1 discloses the email address of all users in an AJAX action available to both unauthenticated and any authenticated users |
| CVE-2022-2877 | MEDIUM | 5.3 | 2022-09-16 | The Titan Anti-spam & Security WordPress plugin before 7.3.1 does not properly checks HTTP headers in order to validate the origin IP address, allowing threat actors to bypass it'… |
| CVE-2022-1613 | MEDIUM | 5.3 | 2022-09-26 | The Restricted Site Access WordPress plugin before 7.3.2 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-… |
| CVE-2022-42883 | MEDIUM | 5.3 | 2022-11-18 | Sensitive Information Disclosure vulnerability discovered by Quiz And Survey Master plugin <= 7.3.10 on WordPress. |
| CVE-2014-5265 | MEDIUM | 5.0 | 2014-08-18 | The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, permits entity declarations without considering recursion duri… |
| CVE-2014-5266 | MEDIUM | 5.0 | 2014-08-18 | The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, whic… |
| CVE-2021-24691 | MEDIUM | 4.8 | 2021-10-11 | The Quiz And Survey Master WordPress plugin before 7.3.2 does not escape the Quiz Url Slug setting before outputting it in some pages, which could allow high privilege users to pe… |
| CVE-2021-24737 | MEDIUM | 4.8 | 2021-10-11 | The Comments – wpDiscuz WordPress plugin through 7.3.0 does not properly sanitise or escape the Follow and Unfollow messages before outputting them in the page, which could allow … |
| CVE-2022-2763 | MEDIUM | 4.8 | 2022-10-03 | The WP Socializer WordPress plugin before 7.3 does not sanitise and escape some of its Icons settings, which could allow high privilege users such as admin to perform Stored Cross… |
| CVE-2023-6290 | MEDIUM | 4.8 | 2024-01-22 | The SEOPress WordPress plugin before 7.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting at… |
| CVE-2024-13313 | MEDIUM | 4.8 | 2025-05-15 | The AWeber WordPress plugin through 7.3.20 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Sc… |
| CVE-2021-24806 | MEDIUM | 4.3 | 2021-11-08 | The wpDiscuz WordPress plugin before 7.3.4 does check for CSRF when adding, editing and deleting comments, which could allow attacker to make logged in users such as admin edit an… |
| CVE-2022-2377 | MEDIUM | 4.3 | 2022-08-22 | The Directorist WordPress plugin before 7.3.0 does not have authorisation and CSRF checks in an AJAX action, allowing any authenticated users to send arbitrary emails on behalf of… |
| CVE-2024-7429 | MEDIUM | 4.3 | 2024-11-05 | The Zotpress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the Zotpress_process_accounts_AJAX function in all versio… |
| CVE-2025-12732 | MEDIUM | 4.3 | 2025-11-12 | The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of sensitive information due to a missing authorization check on … |
| CVE-2021-36865 | LOW | 3.8 | 2022-09-30 | Insecure direct object references (IDOR) vulnerability in ExpressTech Quiz And Survey Master plugin <= 7.3.4 at WordPress allows attackers to change the content of the quiz. |
| CVE-2022-23984 | LOW | 3.7 | 2022-02-21 | Sensitive information disclosure discovered in wpDiscuz WordPress plugin (versions <= 7.3.11). |
| CVE-2024-12300 | LOW | 3.7 | 2024-12-13 | The AR for WordPress plugin for WordPress is vulnerable to unauthorized double extension file upload due to a missing capability check on the set_ar_featured_image() function in a… |
| CVE-2021-36864 | LOW | 3.4 | 2022-10-28 | Auth. (editor+) Reflected Cross-Site Scripting (XSS) vulnerability in ExpressTech Quiz And Survey Master plugin <= 7.3.4 on WordPress. |
| CVE-2021-36906 | LOW | 2.7 | 2022-11-03 | Multiple Insecure Direct Object References (IDOR) vulnerabilities in ExpressTech Quiz And Survey Master plugin <= 7.3.6 on WordPress. |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 7.3 contains 47 security vulnerabilities that hackers are actively exploiting right now. The 4 critical CVEs alone can lead to complete website compromise, user data theft, and loss of administrator access. Delaying this update puts your business at severe risk, and compliance requirements in many industries mandate prompt patching of known vulnerabilities.
Don't leave your website vulnerable another day. SiteRecipe.com provides automated security scanning and vulnerability management tools that identify outdated versions, track CVEs affecting your specific plugins, and alert you to threats in real-time. Visit SiteRecipe.com today to scan your WordPress installation for free and get a detailed security report with step-by-step remediation guidance tailored to your site.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.