xmlseclibs vulnerability

There was a vulnerability in xmlseclibs as described at https://portswigger.net/research/the-fragile-lock.

The vulnerability was fixed in xmlseclibs version 3.1.4: https://github.com/robrichards/xmlseclibs/compare/3.1.3…3.1.4#diff-7ad661ed1d8158bb5c6595db86ba0073f5c3e120ab8bedfdfaea81732e4b4b95L296-R300

However, this official WP plugin still indicates use of version 3.1.3 of that indirect (via onelogin/php-saml) xmlseclibs dependency: https://plugins.trac.ww.wp.xz.cn/browser/wp-saml-auth/trunk/vendor/robrichards/xmlseclibs/src/XMLSecurityDSig.php#L296

The direct onelogin/php-saml dependency addressed that in December: https://github.com/SAML-Toolkits/php-saml/releases/tag/4.3.1

Is this plugin technically still vulnerable? If not, cool. If so, why wasn’t something this critical caught/patched months ago, and how can that oversight be prevented in the future?

Also, now there is another vulnerability, and xmlseclibs 3.1.5 addresses that, which is already reflected in onelogin/php-saml version 4.3.2: https://github.com/SAML-Toolkits/php-saml/releases/tag/4.3.2

• This topic was modified 1 week, 1 day ago by kkatpcc.