[wp-trac] [WordPress Trac] #37110: Update to jQuery 3.*
WordPress Trac
noreply at wordpress.org
Fri Jan 10 15:20:30 UTC 2020
#37110: Update to jQuery 3.*
-------------------------------------------------+-------------------------
Reporter: jorbin | Owner: (none)
Type: task (blessed) | Status: new
Priority: normal | Milestone: Future
| Release
Component: External Libraries | Version:
Severity: critical | Resolution:
Keywords: early has-patch needs-testing | Focuses: javascript
needs-dev-note needs-screenshots needs- |
refresh |
-------------------------------------------------+-------------------------
Comment (by a4jp.com):
Can the jQuery security vulnerabilities in WordPress be fixed, please?
This thread has also been open for 4 years.
One vulnerability (identified as CVE-2019-11358) can allow people to
assign themselves administrator privileges in a web application if they
are using the old jQuery library code. This is a huge problem!!!!!!
It doesn't matter which edited version of jQuery WordPress has in it but
if you know there are security risks and just load the standard version
onto every website it's not good. Even Google drops website rankings
because of this. This should warrant an urgent update. Also, why is it
being left on purposes when there is even code on this page that gives
users an option to select the old version if they have trouble? Linking to
version 1.x or 2.x now is just not right. WordPress users should get
warnings if the old versions are used but they should also be allowed to
choose an older version if they like at their own risk. As new code that
breaks websites is also not a cool option. Linking to the old code with
vulnerabilities is also another reason why recently the number of hacked
sites has started going up.
I manually edit out the security problem by deregistered it and load the
latest version on all my websites. It's easy to do but took me a while to
find out how to do it. This is not the biggest problem though. The plugin
developers tell me they will not update their code either as they say the
WordPress guidelines tell them they have to connect to the built-in code
in WordPress!!!!! How do you expect people to start using the new version
of jQuery if the guidelines tell them they must link to the old version in
WordPress?
About a year ago, someone hacked one of my sites and I learned my lesson
the hard way. I lost my top page position in Google (number 2) for 3 days
because a hacker linked my site to a site that tried to infect computers.
It also took about 3 months to completely recover and get a good spot on
the top page again after the damage. It was almost impossible to go
through all the code that had been added but I'm lucky I had backups of
everything. I could just replace the whole site. This website had
scrambled usernames and email addresses in it but I'm lucky the data
wasn't stolen at the time.
If it's okay, can you please get at least one or two programmers to just
add the code from the guy above to the core if it's nice programming? He
has given you the code for free and it almost takes no effort to release a
version where even a low-level user can choose an old version if they want
to, also if their website is broken somehow. This WordPress update would
even promote the updating plugins with the vulnerabilities. A jQuery
compatibility filter could be added to the plugin repository so we know
which plugins work. I could even update the website for free if needed, to
help out.
Sorry for the super long message here but I think this has become a
serious problem.
Regards,
Glen
----
expresstechsupport (@expresstechsupport)
3 hours, 10 minutes ago
Hi,
As per WordPress.org regulations, we must use WordPress included jQuery.
We cannot be de-registering it and loading jQuery from other resources.
----
[[Image(https://a4jp.com/test/bugs/Screen-Shot-01-11-20-at-12-14-AM.PNG)]]
--
Ticket URL: <https://core.trac.wordpress.org/ticket/37110#comment:85>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list