WordPress Vulnerabilities

WordPress < 5.9.2 / Gutenberg < 12.7.2 - Prototype Pollution via Gutenberg’s wordpress/url package

Description

The @wordpress/url package used in WordPress and the Gutenberg plugin is affected by a Prototype Pollution issue

Affects WordPress

5.9.1
Fixed in WordPress 5.9.2
5.9
Fixed in WordPress 5.9.2
5.8.3
Fixed in WordPress 5.8.4
5.8.2
Fixed in WordPress 5.8.4
5.8.1
Fixed in WordPress 5.8.4
5.8
Fixed in WordPress 5.8.4
5.7.5
Fixed in WordPress 5.7.6
5.7.4
Fixed in WordPress 5.7.6
5.7.3
Fixed in WordPress 5.7.6
5.7.2
Fixed in WordPress 5.7.6
5.7.1
Fixed in WordPress 5.7.6
5.7
Fixed in WordPress 5.7.6

Affects Plugins

Plugin icon
gutenberg
Fixed in 12.7.2

References

URL
https://wordpress.org/news/2022/03/wordpress-5-9-2-security-maintenance-release/
URL
https://github.com/WordPress/gutenberg/pull/39365/files

Miscellaneous

Verified
Yes
WPVDB ID
6e61b246-5af1-4a4f-9ca8-a8c87eb2e499

Timeline

Publicly Published
2022-03-11 (about 4 years ago)
Added
2022-03-11 (about 4 years ago)
Last Updated
2022-04-17 (about 4 years ago)

Other

Published
Title
Published
2014-08-01
Title
Social Media Widget < 4.0.2 - Malicious Code
Published
2024-03-25
Title
Essential Addons for Elementor < 5.9.12 - Contributor+ Stored XSS
Published
2025-02-17
Title
K Elements < 5.4.0 - Authentication Bypass
Published
2025-10-14
Title
Binary MLM Plan < 5.0 - Unauthenticated Limited Privilege Escalation
Published
2013-06-21
Title
WordPress 3.5-3.5.1 Multiple Role Remote Privilege Escalation