AIKIDO-2026-10349
roots/wordpress is vulnerable to Improper Input Validation
75
High Risk
This Affects:
roots/wordpressTL;DR
Affected versions of this package include releases that incorporated WordPress components prior to the upstream security fixes, exposing multiple vulnerabilities including Blind SSRF, stored XSS, regex-based DoS, authorization bypasses, path traversal in PclZip, and an XXE flaw in the bundled getID3 library. An attacker could exploit these issues by injecting malicious payloads into menus or directives to achieve stored XSS, crafting requests to trigger SSRF or bypass authorization checks, abusing vulnerable regex parsing to cause resource exhaustion, or leveraging path traversal/XXE to access sensitive files or internal services. Successful exploitation may allow data exfiltration, privilege escalation, remote content injection, or disruption of service depending on the affected component and deployment configuration. Immediate upgrade is recommended as these fixes were ported from upstream WordPress security patches addressing multiple independent vulnerabilities.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
roots/wordpress is vulnerable to Improper Input Validation in versions 6.9.0 - 6.9.3, 6.8.0 - 6.8.4, 6.7.0 - 6.7.4, 6.6.0 - 6.6.4, 6.5.0 - 6.5.7, 6.4.0 - 6.4.7, 6.3.0 - 6.3.7, 6.2.0 - 6.2.8, 6.0.0 - 6.1.9, 5.9.0 - 5.9.12, 5.8.0 - 5.8.12, 5.7.0 - 5.7.14, 5.6.0 - 5.6.16, 5.5.0 - 5.5.17, 5.4.0 - 5.4.18, 5.3.0 - 5.3.20, 5.2.0 - 5.2.23, 5.1.0 - 5.1.21, 5.0.0 - 5.0.24, 4.9.0 - 4.9.28 and 0.0.1 - 4.8.27.
How to fix this
Upgrade the roots/wordpress library to the patch version.
Get Secure Now
Secure your code, cloud, and runtime environments in one central system. Find and fix vulnerabilities automatically.
No credit card required | Scan results in 32secs.
SOC 2Compliant
ISO 27001Compliant