SQL Injection Affecting johnpbloch/wordpress-core package, versions <3.7.40>=3.8.0, <3.8.40>=3.9.0, <3.9.38>=4.0.0, <4.0.37>=4.1.0, <4.1.37>=4.2.0, <4.2.34>=4.3.0, <4.3.30>=4.4.0, <4.4.29>=4.5.0, <4.5.28>=4.6.0, <4.6.25>=4.7.0, <4.7.25>=4.8.0, <4.8.21>=4.9.0, <4.9.22>=5.0.0, <5.0.18>=5.1.0, <5.1.15>=5.2.0, <5.2.17>=5.3.0, <5.3.14>=5.4.0, <5.4.12>=5.5.0, <5.5.11>=5.6.0, <5.6.10>=5.7.0, <5.7.8>=5.8.0, <5.8.6>=5.9.0, <5.9.5>=6.0.0, <6.0.3
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PHP-JOHNPBLOCHWORDPRESSCORE-8653183
- published22 Jan 2025
- disclosed18 Oct 2022
- creditmikemyers
Introduced: 18 Oct 2022
CVE NOT AVAILABLE CWE-89 (opens in a new tab)Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade johnpbloch/wordpress-core to version 3.7.40, 3.8.40, 3.9.38, 4.0.37, 4.1.37, 4.2.34, 4.3.30, 4.4.29, 4.5.28, 4.6.25, 4.7.25, 4.8.21, 4.9.22, 5.0.18, 5.1.15, 5.2.17, 5.3.14, 5.4.12, 5.5.11, 5.6.10, 5.7.8, 5.8.6, 5.9.5, 6.0.3 or higher.
Overview
johnpbloch/wordpress-core is a web software you can use to create a website or blog.
Affected versions of this package are vulnerable to SQL Injection due to insufficient escaping on where AND and OR are present in the query. An attacker can manipulate the SQL query and retrieve or alter information in the database by injecting malicious SQL commands.