Improper Input Validation Affecting johnpbloch/wordpress-core package, versions <4.1.39>=4.2.0, <4.2.36>=4.3.0, <4.3.32>=4.4.0, <4.4.31>=4.5.0, <4.5.30>=4.6.0, <4.6.27>=4.7.0, <4.7.27>=4.8.0, <4.8.23>=4.9.0, <4.9.24>=5.0.0, <5.0.20>=5.1.0, <5.1.17>=5.2.0, <5.2.19>=5.3.0, <5.3.16>=5.4.0, <5.4.14>=5.5.0, <5.5.13>=5.6.0, <5.6.12>=5.7.0, <5.7.10>=5.8.0, <5.8.8>=5.9.0, <5.9.8>=6.0.0, <6.0.6>=6.1.0, <6.1.4>=6.2.0, <6.2.3>=6.3.0, <6.3.2
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Improper Input Validation vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-PHP-JOHNPBLOCHWORDPRESSCORE-8648602
- published21 Jan 2025
- disclosed12 Oct 2023
- creditJames Golovich, WhiteCyberSec
Introduced: 12 Oct 2023
CVE NOT AVAILABLE CWE-20 (opens in a new tab)How to fix?
Upgrade johnpbloch/wordpress-core to version 4.1.39, 4.2.36, 4.3.32, 4.4.31, 4.5.30, 4.6.27, 4.7.27, 4.8.23, 4.9.24, 5.0.20, 5.1.17, 5.2.19, 5.3.16, 5.4.14, 5.5.13, 5.6.12, 5.7.10, 5.8.8, 5.9.8, 6.0.6, 6.1.4, 6.2.3, 6.3.2 or higher.
Overview
johnpbloch/wordpress-core is a web software you can use to create a website or blog.
Affected versions of this package are vulnerable to Improper Input Validation due to insufficient input validation in the parse_media_shortcode AJAX function. An attacker can manipulate the shortcode output by injecting malicious shortcodes.