[wp-trac] [WordPress Trac] #63259: Usage of zxcvbn 4.4.1 with known vulnerability
WordPress Trac
noreply at wordpress.org
Thu Apr 10 11:51:15 UTC 2025
#63259: Usage of zxcvbn 4.4.1 with known vulnerability
--------------------------------+-----------------------------
Reporter: fseydel | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: External Libraries | Version:
Severity: major | Keywords:
Focuses: javascript |
--------------------------------+-----------------------------
The password-strength-meter in wp-admin uses the 12 year old package
zxcvbn 4.4.1.
This package has a known vulnerability:
https://security.snyk.io/package/npm/zxcvbn/4.4.1
Using this package failed a pentest on a customers WordPress website.
An idea would be to switch to zxcvbn-ts (https://github.com/zxcvbn-
ts/zxcvbn) which is up-to-date and has no known vulnerability.
Migration should easily be possible: https://zxcvbn-
ts.github.io/zxcvbn/guide/migration/#zxcvbn-4-4-2-to-zxcvbn-ts-0-1-0
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63259>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list