AIKIDO-2025-10047

johnpbloch/wordpress-core is vulnerable to Denial of Service (DoS)

Denial of Service (DoS) Pre-CVE Published Jan 27, 2025

Medium Risk

This Affects:

johnpbloch/wordpress-core

4.7.0 - 4.7.26

Fixed in 4.7.27

4.8.0 - 4.8.22

Fixed in 4.8.23

4.9.0 - 4.9.23

Fixed in 4.9.24

5.0.0 - 5.0.19

Fixed in 5.0.20

5.1.0 - 5.1.16

Fixed in 5.1.17

5.2.0 - 5.2.18

Fixed in 5.2.19

5.3.0 - 5.3.15

Fixed in 5.3.16

5.4.0 - 5.4.13

Fixed in 5.4.14

5.5.0 - 5.5.12

Fixed in 5.5.13

5.6.0 - 5.6.11

Fixed in 5.6.12

5.7.0 - 5.7.9

Fixed in 5.7.10

5.8.0 - 5.8.7

Fixed in 5.8.8

5.9.0 - 5.9.7

Fixed in 5.9.8

6.0.0 - 6.0.5

Fixed in 6.0.6

6.1.0 - 6.1.3

Fixed in 6.1.4

6.2.0 - 6.2.2

Fixed in 6.2.3

6.3.0 - 6.3.1

Fixed in 6.3.2

Are you affected? Scan for Free

TL;DR

Affected versions of this package are vulnerable to Denial of Service (DoS). This vulnerability occurs due to improper handling of the X-HTTP-Method-Override header in REST endpoint requests. If a request results in a 4xx error, the response can be cached incorrectly. An attacker can exploit this behavior to cause inconsistent states or service disruptions by manipulating cached error responses, potentially impacting the application's reliability and availability.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

johnpbloch/wordpress-core is vulnerable to Denial of Service (DoS) in versions 4.7.0 - 4.7.26, 4.8.0 - 4.8.22, 4.9.0 - 4.9.23, 5.0.0 - 5.0.19, 5.1.0 - 5.1.16, 5.2.0 - 5.2.18, 5.3.0 - 5.3.15, 5.4.0 - 5.4.13, 5.5.0 - 5.5.12, 5.6.0 - 5.6.11, 5.7.0 - 5.7.9, 5.8.0 - 5.8.7, 5.9.0 - 5.9.7, 6.0.0 - 6.0.5, 6.1.0 - 6.1.3, 6.2.0 - 6.2.2 and 6.3.0 - 6.3.1.