SQL Injection Affecting johnpbloch/wordpress-core package, versions <3.7.39>=3.8.0, <3.8.39>=3.9.0, <3.9.37>=4.0.0, <4.0.36>=4.1.0, <4.1.36>=4.2.0, <4.2.33>=4.3.0, <4.3.29>=4.4.0, <4.4.28>=4.5.0, <4.5.27>=4.6.0, <4.6.24>=4.7.0, <4.7.24>=4.8.0, <4.8.20>=4.9.0, <4.9.21>=5.0.0, <5.0.17>=5.1.0, <5.1.14>=5.2.0, <5.2.16>=5.3.0, <5.3.13>=5.4.0, <5.4.11>=5.5.0, <5.5.10>=5.6.0, <5.6.9>=5.7.0, <5.7.7>=5.8.0, <5.8.5>=5.9.0, <5.9.4>=6.0.0, <6.0.2
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PHP-JOHNPBLOCHWORDPRESSCORE-8648599
- published21 Jan 2025
- disclosed30 Aug 2022
- creditFVD
Introduced: 30 Aug 2022
CVE NOT AVAILABLE CWE-89 (opens in a new tab)How to fix?
Upgrade johnpbloch/wordpress-core to version 3.7.39, 3.8.39, 3.9.37, 4.0.36, 4.1.36, 4.2.33, 4.3.29, 4.4.28, 4.5.27, 4.6.24, 4.7.24, 4.8.20, 4.9.21, 5.0.17, 5.1.14, 5.2.16, 5.3.13, 5.4.11, 5.5.10, 5.6.9, 5.7.7, 5.8.5, 5.9.4, 6.0.2 or higher.
Overview
johnpbloch/wordpress-core is a web software you can use to create a website or blog.
Affected versions of this package are vulnerable to SQL Injection via the get_bookmarks function. An attacker can manipulate SQL queries and potentially access or alter database information by injecting malicious SQL code through the LIMIT parameter.
Note:
This is only exploitable if a plugin or theme passes an unescaped user-supplied LIMIT value from lower-privileged users to the get_bookmarks function.