AIKIDO-2025-10052

johnpbloch/wordpress-core is vulnerable to SQL Injection

SQL Injection Pre-CVE Published Jan 27, 2025

Critical Risk

This Affects:

johnpbloch/wordpress-core

1.0.0 - 3.7.39

Fixed in 3.7.40

3.8.0 - 3.8.39

Fixed in 3.8.40

3.9.0 - 3.9.37

Fixed in 3.9.38

4.0.0 - 4.0.36

Fixed in 4.0.37

4.1.0 - 4.1.36

Fixed in 4.1.37

4.2.0 - 4.2.33

Fixed in 4.2.34

4.3.0 - 4.3.29

Fixed in 4.3.30

4.4.0 - 4.4.28

Fixed in 4.4.29

4.5.0 - 4.5.27

Fixed in 4.5.28

4.6.0 - 4.6.24

Fixed in 4.6.25

4.7.0 - 4.7.24

Fixed in 4.7.25

4.8.0 - 4.8.20

Fixed in 4.8.21

4.9.0 - 4.9.21

Fixed in 4.9.22

5.0.0 - 5.0.17

Fixed in 5.0.18

5.1.0 - 5.1.14

Fixed in 5.1.15

5.2.0 - 5.2.16

Fixed in 5.2.17

5.3.0 - 5.3.13

Fixed in 5.3.14

5.4.0 - 5.4.11

Fixed in 5.4.12

5.5.0 - 5.5.10

Fixed in 5.5.11

5.6.0 - 5.6.9

Fixed in 5.6.10

5.7.0 - 5.7.7

Fixed in 5.7.8

5.8.0 - 5.8.5

Fixed in 5.8.6

5.9.0 - 5.9.4

Fixed in 5.9.5

6.0.0 - 6.0.2

Fixed in 6.0.3

Are you affected? Scan for Free

TL;DR

Affected versions of this package are vulnerable to SQL injection because of insufficient escaping when handling WHERE, AND, and OR clauses in SQL queries. An attacker can exploit this vulnerability by injecting malicious SQL commands, allowing them to manipulate the query. This can lead to unauthorized access, data retrieval, modification, or even deletion of information stored in the database, potentially compromising the application's security and integrity.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

johnpbloch/wordpress-core is vulnerable to SQL Injection in versions 1.0.0 - 3.7.39, 3.8.0 - 3.8.39, 3.9.0 - 3.9.37, 4.0.0 - 4.0.36, 4.1.0 - 4.1.36, 4.2.0 - 4.2.33, 4.3.0 - 4.3.29, 4.4.0 - 4.4.28, 4.5.0 - 4.5.27, 4.6.0 - 4.6.24, 4.7.0 - 4.7.24, 4.8.0 - 4.8.20, 4.9.0 - 4.9.21, 5.0.0 - 5.0.17, 5.1.0 - 5.1.14, 5.2.0 - 5.2.16, 5.3.0 - 5.3.13, 5.4.0 - 5.4.11, 5.5.0 - 5.5.10, 5.6.0 - 5.6.9, 5.7.0 - 5.7.7, 5.8.0 - 5.8.5, 5.9.0 - 5.9.4 and 6.0.0 - 6.0.2.