AIKIDO-2025-10049
johnpbloch/wordpress-core is vulnerable to Cross-Site Request Forgery (CSRF)
88
High Risk
This Affects:
johnpbloch/wordpress-coreTL;DR
Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to improper request handling in wp-trackback.php. An attacker can exploit this vulnerability by tricking a user into making a crafted request to this endpoint, allowing the attacker to assume the user's identity and perform actions on their behalf. This can result in unauthorized actions such as data modification or privilege escalation within the application.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
johnpbloch/wordpress-core is vulnerable to Cross-Site Request Forgery (CSRF) in versions 1.0.0 - 3.7.39, 3.8.0 - 3.8.39, 3.9.0 - 3.9.37, 4.0.0 - 4.0.36, 4.1.0 - 4.1.36, 4.2.0 - 4.2.33, 4.3.0 - 4.3.29, 4.4.0 - 4.4.28, 4.5.0 - 4.5.27, 4.6.0 - 4.6.24, 4.7.0 - 4.7.24, 4.8.0 - 4.8.20, 4.9.0 - 4.9.21, 5.0.0 - 5.0.17, 5.1.0 - 5.1.14, 5.2.0 - 5.2.16, 5.3.0 - 5.3.13, 5.4.0 - 5.4.11, 5.5.0 - 5.5.10, 5.6.0 - 5.6.9, 5.7.0 - 5.7.7, 5.8.0 - 5.8.5, 5.9.0 - 5.9.4 and 6.0.0 - 6.0.2.
How to fix this
Upgrade the johnpbloch/wordpress-core library to a patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant