Open Redirect Affecting johnpbloch/wordpress-core package, versions <3.7.40>=3.8.0, <3.8.40>=3.9.0, <3.9.38>=4.0.0, <4.0.37>=4.1.0, <4.1.37>=4.2.0, <4.2.34>=4.3.0, <4.3.30>=4.4.0, <4.4.29>=4.5.0, <4.5.28>=4.6.0, <4.6.25>=4.7.0, <4.7.25>=4.8.0, <4.8.21>=4.9.0, <4.9.22>=5.0.0, <5.0.18>=5.1.0, <5.1.15>=5.2.0, <5.2.17>=5.3.0, <5.3.14>=5.4.0, <5.4.12>=5.5.0, <5.5.11>=5.6.0, <5.6.10>=5.7.0, <5.7.8>=5.8.0, <5.8.6>=5.9.0, <5.9.5>=6.0.0, <6.0.3
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PHP-JOHNPBLOCHWORDPRESSCORE-8648598
- published21 Jan 2025
- disclosed18 Oct 2022
- creditdevrayn
Introduced: 18 Oct 2022
CVE NOT AVAILABLE CWE-601 (opens in a new tab)How to fix?
Upgrade johnpbloch/wordpress-core to version 3.7.40, 3.8.40, 3.9.38, 4.0.37, 4.1.37, 4.2.34, 4.3.30, 4.4.29, 4.5.28, 4.6.25, 4.7.25, 4.8.21, 4.9.22, 5.0.18, 5.1.15, 5.2.17, 5.3.14, 5.4.12, 5.5.11, 5.6.10, 5.7.8, 5.8.6, 5.9.5, 6.0.3 or higher.
Overview
johnpbloch/wordpress-core is a web software you can use to create a website or blog.
Affected versions of this package are vulnerable to Open Redirect due to insufficient validation of the Referer header and _wp_http_referer request parameter when a user accesses a link with an expired or invalid nonce. An attacker can redirect a victim to a potentially malicious site by tricking the victim into performing an action such as clicking on a link.