Title: xmlseclibs vulnerability Last modified: May 15, 2026 --- # xmlseclibs vulnerability * Resolved [kkatpcc](https://wordpress.org/support/users/kkatpcc/) * (@kkatpcc) * [1 month, 1 week ago](https://wordpress.org/support/topic/xmlseclibs-vulnerability/) * There was a vulnerability in xmlseclibs as described at [https://portswigger.net/research/the-fragile-lock](https://portswigger.net/research/the-fragile-lock). * The vulnerability was fixed in xmlseclibs version 3.1.4: [https://github.com/robrichards/xmlseclibs/compare/3.1.3…3.1.4#diff-7ad661ed1d8158bb5c6595db86ba0073f5c3e120ab8bedfdfaea81732e4b4b95L296-R300](https://github.com/robrichards/xmlseclibs/compare/3.1.3...3.1.4#diff-7ad661ed1d8158bb5c6595db86ba0073f5c3e120ab8bedfdfaea81732e4b4b95L296-R300) * However, this official WP plugin still indicates use of version 3.1.3 of that indirect (via onelogin/php-saml) xmlseclibs dependency: [https://plugins.trac.wordpress.org/browser/wp-saml-auth/trunk/vendor/robrichards/xmlseclibs/src/XMLSecurityDSig.php#L296](https://plugins.trac.wordpress.org/browser/wp-saml-auth/trunk/vendor/robrichards/xmlseclibs/src/XMLSecurityDSig.php#L296) * The direct onelogin/php-saml dependency addressed that in December: [https://github.com/SAML-Toolkits/php-saml/releases/tag/4.3.1](https://github.com/SAML-Toolkits/php-saml/releases/tag/4.3.1) * Is this plugin technically still vulnerable? If not, cool. If so, why wasn’t something this critical caught/patched months ago, and how can that oversight be prevented in the future? * Also, now there is another vulnerability, and xmlseclibs 3.1.5 addresses that, which is already reflected in onelogin/php-saml version 4.3.2: [https://github.com/SAML-Toolkits/php-saml/releases/tag/4.3.2](https://github.com/SAML-Toolkits/php-saml/releases/tag/4.3.2) - This topic was modified 1 month, 1 week ago by [kkatpcc](https://wordpress.org/support/users/kkatpcc/). Viewing 3 replies - 1 through 3 (of 3 total) * Plugin Contributor [Anais Pantheor](https://wordpress.org/support/users/anaispantheor/) * (@anaispantheor) * [1 month, 1 week ago](https://wordpress.org/support/topic/xmlseclibs-vulnerability/#post-18909478) * Hi [@kkatpcc](https://wordpress.org/support/users/kkatpcc/), Thank you for reporting this. A [PR](https://github.com/pantheon-systems/wp-saml-auth/pull/477) has been created with the needed fixes, and this will be shipped first thing next week. We apologize for this situation and appreciate your patience. * Thread Starter [kkatpcc](https://wordpress.org/support/users/kkatpcc/) * (@kkatpcc) * [1 month ago](https://wordpress.org/support/topic/xmlseclibs-vulnerability/#post-18911574) * 👍 * Plugin Contributor [Anais Pantheor](https://wordpress.org/support/users/anaispantheor/) * (@anaispantheor) * [1 month ago](https://wordpress.org/support/topic/xmlseclibs-vulnerability/#post-18913872) * Thanks again [@kkatpcc](https://wordpress.org/support/users/kkatpcc/), version 2.3.2 has been released with security fixes for vulnerabilities in the robrichards/ xmlseclibs and onelogin/php-saml dependencies. Please update when you get a chance. Viewing 3 replies - 1 through 3 (of 3 total) You must be [logged in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fxmlseclibs-vulnerability%2F%3Foutput_format%3Dmd&locale=en_US) to reply to this topic. * ![](https://ps.w.org/wp-saml-auth/assets/icon-256x256.png?rev=3348767) * [WP SAML Auth](https://wordpress.org/plugins/wp-saml-auth/) * [Frequently Asked Questions](https://wordpress.org/plugins/wp-saml-auth/#faq) * [Support Threads](https://wordpress.org/support/plugin/wp-saml-auth/) * [Active Topics](https://wordpress.org/support/plugin/wp-saml-auth/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/wp-saml-auth/unresolved/) * [Reviews](https://wordpress.org/support/plugin/wp-saml-auth/reviews/) * 4 replies * 2 participants * Last reply from: [Anais Pantheor](https://wordpress.org/support/users/anaispantheor/) * Last activity: [1 month ago](https://wordpress.org/support/topic/xmlseclibs-vulnerability/#post-18913872) * Status: resolved