AIKIDO-2025-10043
johnpbloch/wordpress-core is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes
51
Medium Risk
This Affects:
johnpbloch/wordpress-coreTL;DR
Affected versions of this package are vulnerable to improperly controlled modification of dynamically determined object attributes through the block editor. This occurs because the block editor fails to properly restrict or validate dynamically assigned object attributes. An attacker can exploit this vulnerability to manipulate the object prototype, potentially injecting malicious scripts. This can lead to unauthorized access, data modification, or disruption of application behavior, posing significant security risks.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
johnpbloch/wordpress-core is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in versions 1.0.0 - 3.7.37, 3.8.0 - 3.8.37, 3.9.0 - 3.9.35, 4.0.0 - 4.0.34, 4.1.0 - 4.1.34, 4.2.0 - 4.2.31, 4.3.0 - 4.3.27, 4.4.0 - 4.4.26, 4.5.0 - 4.5.25, 4.6.0 - 4.6.22, 4.7.0 - 4.7.22, 4.8.0 - 4.8.18, 4.9.0 - 4.9.19, 5.0.0 - 5.0.15, 5.1.0 - 5.1.12, 5.2.0 - 5.2.14, 5.3.0 - 5.3.11, 5.4.0 - 5.4.9, 5.5.0 - 5.5.8, 5.6.0 - 5.6.7, 5.7.0 - 5.7.5, 5.8.0 - 5.8.3 and 5.9.0 - 5.9.1.
How to fix this
Upgrade the johnpbloch/wordpress-core library to a patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant