Make WordPress Core

Opened 5 months ago

Closed 5 months ago

Last modified 5 months ago

#60571 closed defect (bug) (invalid)

Lodash Vulnerability

Reported by: adeel321's profile adeel321 Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: External Libraries Keywords:
Focuses: Cc:


Hi i am facing these vulnerabilities. kindly let me know how to fix it


  1. Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function

defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a
constructor payload.

  1. Lodash Improperly Controlled Modification of

Object Prototype Attributes ('Prototype Pollution')
Vulnerability (

facing in both staging ( and production

Change History (4)

#1 @swissspidy
5 months ago

  • Component changed from General to External Libraries
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Severity changed from critical to normal
  • Status changed from new to closed
  • Version 6.4.3 deleted

Hi there and welcome to Trac.

WordPress bundles the latest version of Lodash, which is currently version 4.17.21.

If you are using an older version, then there might be a plugin or theme on your site that overrides the default one. FWIW, on your site I don't even see Lodash being used.

If you need help with plugins and themes changing your Lodash version, I recommend using the support forums. And if your security tool lists incorrect data, well, you should report this to the tool makers.

Again, WordPress uses the latest version, so this issue is specific to your site. Hence closing this ticket.

#2 @adeel321
5 months ago

Thanks for your quick response i am using WordPress 6.4.3 , kindly let me howto update the latest version of the load dash.

#3 @swissspidy
5 months ago

As I said, WordPress itself already uses the latest version of Lodash. If your site is using a different version for some reason, please seek help in the support forums.

Note: See TracTickets for help on using tickets.