domPurify Dependency has a mXSS-style security vulnerability

This is the technical support forum for WPML - the multilingual WordPress plugin.

Everyone can read, but only WPML clients can post here. WPML team is replying on the forum 6 days per week, 22 hours per day.

Sun	Mon	Tue	Wed	Thu	Fri	Sat
9:00 – 15:00	9:00 – 15:00	9:00 – 15:00	9:00 – 15:00	9:00 – 15:00	-	-
-	-	-	-	-	-	-

Supporter timezone: Asia/Yerevan (GMT+04:00)

Tagged: Bug

This topic contains 4 replies, has 0 voices.

Last updated by Christopher Amirian 2 days, 4 hours ago.

Assisted by: Christopher Amirian.

Author	Posts
February 8, 2025 at 7:55 am #16681826
samM-17	Background of the issue: We have recently completed an independent penetration test on a site we are building which uses WPML. The penetration testing identified that WPML is using an outdated version of the domPurify library which has a cross-site-scripting vulnerability and would appreciate your support in patching WPML with the latest version of domPurify. hidden link Symptoms: The penetration test identified a cross-site-scripting vulnerability due to an outdated version of the domPurify library used by WPML. Questions: Can you help us patch WPML with the latest version of domPurify?
February 8, 2025 at 3:24 pm #16682560
Christopher Amirian Supporter Languages: English (English ) Timezone: Asia/Yerevan (GMT+04:00)	Hi, Welcome to WPML support. May I know where the dependency is in the WPML code? Maybe the file path so I can report this? Thank you.
February 10, 2025 at 7:31 am #16685201
samM-17	sure... sitepress-multilingual-cms/dist/js/domPurify/app.js
February 10, 2025 at 2:49 pm #16688222
Christopher Amirian Supporter Languages: English (English ) Timezone: Asia/Yerevan (GMT+04:00)	Thank you very much. I reported this to the second tier support and they will investigate.
February 13, 2025 at 11:00 am #16701280
Christopher Amirian Supporter Languages: English (English ) Timezone: Asia/Yerevan (GMT+04:00)	Hi, I wanted to inform you that the issue has been escalated to our development team. Thank you for bringing this issue to our attention.