AIKIDO-2025-10041
johnpbloch/wordpress-core is vulnerable to Cross-site Scripting (XSS)
51
Medium Risk
This Affects:
johnpbloch/wordpress-coreTL;DR
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to inadequate escaping of the Blog Name field. An attacker can exploit this vulnerability by injecting a crafted payload into the Blog Name, which is then rendered in the application without proper sanitization. This allows the attacker to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to data theft, session hijacking, or other malicious actions.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
johnpbloch/wordpress-core is vulnerable to Cross-site Scripting (XSS) in versions 1.0.0 - 3.7.39, 3.8.0 - 3.8.39, 3.9.0 - 3.9.37, 4.0.0 - 4.0.36, 4.1.0 - 4.1.36, 4.2.0 - 4.2.33, 4.3.0 - 4.3.29, 4.4.0 - 4.4.28, 4.5.0 - 4.5.27, 4.6.0 - 4.6.24, 4.7.0 - 4.7.24, 4.8.0 - 4.8.20, 4.9.0 - 4.9.21, 5.0.0 - 5.0.17, 5.1.0 - 5.1.14, 5.2.0 - 5.2.16, 5.3.0 - 5.3.13, 5.4.0 - 5.4.11, 5.5.0 - 5.5.10, 5.6.0 - 5.6.9, 5.7.0 - 5.7.7, 5.8.0 - 5.8.5, 5.9.0 - 5.9.4 and 6.0.0 - 6.0.2.
How to fix this
Upgrade the johnpbloch/wordpress-core library to a patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant