Description
The gatsby-source-wordpress plugin prior to versions 4.0.8 and 5.9.2 leaks .htaccess HTTP Basic Authentication variables into the app.js bundle during build-time. Users who are not initializing basic authentication credentials in the gatsby-config.js are not affected.
Recommendation
Update the gatsby-source-wordpress package to the latest compatible version. Followings are version details:
Affected version(s): **>= 5.0.0, < 5.9.2 < 4.0.8** Patched version(s): **5.9.2 4.0.8**
References
Related Issues
- Exposure of Sensitive Information to an Unauthorized Actor in nanoid - CVE-2021-23566
- parse-server auth adapter app ID validation can be circumvented - CVE-2022-39231
- Command Injection Vulnerability - CVE-2021-21315
- webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browse - CVE-2025-30360
- Tags:
- npm
- gatsby-source-wordpress
Anything's wrong? Let us know Last updated on February 01, 2023