Cross-site Request Forgery (CSRF) Affecting johnpbloch/wordpress-core package, versions <4.1.38>=4.2.0, <4.2.35>=4.3.0, <4.3.31>=4.4.0, <4.4.30>=4.5.0, <4.5.29>=4.6.0, <4.6.26>=4.7.0, <4.7.26>=4.8.0, <4.8.22>=4.9.0, <4.9.23>=5.0.0, <5.0.19>=5.1.0, <5.1.16>=5.2.0, <5.2.18>=5.3.0, <5.3.15>=5.4.0, <5.4.13>=5.5.0, <5.5.12>=5.6.0, <5.6.11>=5.7.0, <5.7.9>=5.8.0, <5.8.7>=5.9.0, <5.9.6>=6.0.0, <6.0.4>=6.1.0, <6.1.2>=6.2.0, <6.2.1
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Cross-site Request Forgery (CSRF) vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-PHP-JOHNPBLOCHWORDPRESSCORE-8648601
- published21 Jan 2025
- disclosed16 May 2023
- creditJohn Blackbourn
Introduced: 16 May 2023
CVE NOT AVAILABLE CWE-352 (opens in a new tab)How to fix?
Upgrade johnpbloch/wordpress-core to version 4.1.38, 4.2.35, 4.3.31, 4.4.30, 4.5.29, 4.6.26, 4.7.26, 4.8.22, 4.9.23, 5.0.19, 5.1.16, 5.2.18, 5.3.15, 5.4.13, 5.5.12, 5.6.11, 5.7.9, 5.8.7, 5.9.6, 6.0.4, 6.1.2, 6.2.1 or higher.
Overview
johnpbloch/wordpress-core is a web software you can use to create a website or blog.
Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to missing nonce validation on the wp_ajax_set_attachment_thumbnail AJAX function. An attacker can update the thumbnail image associated with existing attachments by tricking an authenticated user with appropriate permissions into performing an action, such as clicking a link.