johnpbloch/wordpress-core is vulnerable to Remote Code Execution (RCE)
97
Critical Risk
The REST API /batch/v1 endpoint has a batch-route confusion issue that, combined with SQL injection, lets an unauthenticated attacker reach remote code execution on a stock WordPress install with no plugins required. An anonymous request to the batch API can therefore take over the site. The fix hardens batch-route handling and closes the SQL injection path that enabled the RCE.
You are affected if you are using a version that falls within the vulnerable range and the site does not use a persistent object cache.
johnpbloch/wordpress-core is vulnerable to Remote Code Execution (RCE) in versions 6.9.0 - 6.9.4 and 7.0.0 - 7.0.1.
Upgrade the johnpbloch/wordpress-core library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

I consent to receiving marketing communications based on Aikido’s Privacy Policy.
SOC 2Compliant
ISO 27001Compliant