AIKIDO-2025-10046

johnpbloch/wordpress-core is vulnerable to Cross-site Scripting (XSS)

Cross-site Scripting (XSS) Pre-CVE Published Jan 27, 2025

Medium Risk

This Affects:

johnpbloch/wordpress-core

5.6.0 - 5.6.11

Fixed in 5.6.12

5.7.0 - 5.7.9

Fixed in 5.7.10

5.8.0 - 5.8.7

Fixed in 5.8.8

5.9.0 - 5.9.7

Fixed in 5.9.8

6.0.0 - 6.0.5

Fixed in 6.0.6

6.1.0 - 6.1.3

Fixed in 6.1.4

6.2.0 - 6.2.2

Fixed in 6.2.3

6.3.0 - 6.3.1

Fixed in 6.3.2

Are you affected? Scan for Free

TL;DR

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the success_url and reject_url parameters when requesting application passwords. An attacker can exploit this by injecting malicious web scripts into these parameters. If the attacker tricks a user into clicking a crafted link and then accepting or rejecting the application password, the injected script will execute in the user's browser. This could result in data theft, session hijacking, or other malicious actions.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

johnpbloch/wordpress-core is vulnerable to Cross-site Scripting (XSS) in versions 5.6.0 - 5.6.11, 5.7.0 - 5.7.9, 5.8.0 - 5.8.7, 5.9.0 - 5.9.7, 6.0.0 - 6.0.5, 6.1.0 - 6.1.3, 6.2.0 - 6.2.2 and 6.3.0 - 6.3.1.