Support » Fixing WordPress » Use of JavaScript Library with Known Vulnerability

  • Resolved Boldair Développement


    one of my customers recently had a security audit on one of it’s sites that my agency manages

    and amongst the results were 2 topics of “Use of JavaScript Library with Known Vulnerability”
    Those concern

    Vulnerable Javascript library: jQuery version: 1.12.4 script uri: /wp-includes/js/jquery/jquery.js?x44815
    Details: CVE-2015-9251: jQuery versions on or above 1.4.0 and below 1.12.0 (version 1.12.3 and above but below 3.0.0-beta1 as well) are vulnerable to XSS via 3rd party text/javascript responses(3rd party CORS request may execute). ( Solution: jQuery version 3.0.0 has been released to address the issue ( Please refer to vendor documentation ( for the latest security updates.
    In jQuery versions on or above 1.12.2 and below 2.2.0 $.parseHTML has (lots of) XSS. In these versions parseHTML() executes scripts in event handlers. Please refer following resource for more details:,

    and the second one is :

    Vulnerable javascript library: jQuery.ui.dialog version: 1.11.4
    Details: jquery.ui.dialog version below 1.12.0 is vulnerable to XSS if the user input is allowed to pass through to the closeText property. Please refer vendor documentation ( latest security updates.

    Now both those libraries are distributed with Worpress Core (even in the latest 5.4.1)
    and live in /wp-includes/js/ so i can’t really upgrade them (besides upgrading to the latest jQquery 3.x.x would probably break out a lot of plugins out there)

    I’m using Wordfence, which probably protects me from the XSS vulnerabilities in those, still if these have known vulnerabilities I’d like to know if there’s a mitigation in place inside WP itself ? (and if a switch to a not vulnerable major versions of jQuery (like apparently from that report 1.12.1) is something that’s possibly happening at some point ?

Viewing 3 replies - 1 through 3 (of 3 total)
Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Use of JavaScript Library with Known Vulnerability’ is closed to new replies.