Lodash Vulnerability

[adeel321]

Hi i am facing these vulnerabilities. kindly let me know how to fix it

CVE-2019-10744

1. Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function

defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a
constructor payload.

2. Lodash Improperly Controlled Modification of

Object Prototype Attributes ('Prototype Pollution')
Vulnerability (​https://nvd.nist.gov/vuln/detail/CVE-2020-8203)

facing in both staging (​https://dev.am.gov.ae/) and production ​https://am.gov.ae/

[swissspidy]

Hi there and welcome to Trac.

WordPress bundles the latest version of Lodash, which is currently version 4.17.21.

If you are using an older version, then there might be a plugin or theme on your site that overrides the default one. FWIW, on your site I don't even see Lodash being used.

If you need help with plugins and themes changing your Lodash version, I recommend using the ​support forums. And if your security tool lists incorrect data, well, you should report this to the tool makers.

Again, WordPress uses the latest version, so this issue is specific to your site. Hence closing this ticket.

[adeel321]

Thanks for your quick response i am using WordPress 6.4.3 , kindly let me howto update the latest version of the load dash.

[swissspidy]

As I said, WordPress itself already uses the latest version of Lodash. If your site is using a different version for some reason, please seek help in the ​support forums.