Support » Theme: Neve » Neve using old version of jquery?

  • Resolved wp-boffin

    (@wp-boffin)


    In doing some performance testing of the Neve theme with the Chrome browser Lighthouse extension, the test results identify a vulnerability associated with use of an old version jQuery, namely version 1.12.4. I verified this using the Chrome Devtools. The latest version of jquery is 3.4.1.

    Not sure if this vulnerability is associated with the Neve theme itself or one of the plugins installed. Could you please investigate this usage of an old version of jquery.

    Thank you,

    • This topic was modified 4 months, 2 weeks ago by  wp-boffin.
Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    Old versions of code don’t necessarily mean vulnerabilities and themes should use the version of jquery that comes with WordPress.

    Hopefully the developer will reply.

    Hi @wp-boffin,

    Neve’s using jQuery from the WordPress core, so there shouldn’t be any problem with that. We’re not enqueueing any custom version of it.
    Make sure there are not any sort of conflicts with other plugins.
    Let me know if you manage to find what’s causing this.

    Regards,
    Rodica

    Thank you Rodica for your reply regarding the outdated jquery v1.12.4. I did some further digging and determined that this jquery issue is not related to the Neve WP Theme.

    What I did was to (1) create a fresh install of WordPress v5.2.2, (2) installed the 2019 default WP theme, and (3) no plugins. Then ran GTMetrix to check the installed jquery version (../wp-includes/js/jquery/jquery.js) — sure enough WordPress installs the outdated jquery v1.12.4. Also, I did some googling on this version of jquery and found that it has a XSS security vulnerability, which has been known for some time. Moreover, Google’s Lighthouse tool flags this version of jquery as security vulnerability.

    Interestingly, I found that the WordPress core developers did open a ticket ( severity: critical ) to update from jquery 1.12.4 to v3 — but that was about 3 years ago!!!

    Hopefully a Forum Moderator can pickup on this issue and encourage the WP code developers to fix this security issue.

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.