WordPress URL Validation Issue: Malicious URLs Accepted

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.5

WordPress URL Validation Issue: Malicious URLs Accepted

CVE-2026-25679 BIT-golang-2026-25679

Summary

WordPress incorrectly validates URLs, allowing attackers to use malicious or fake hostnames. This can lead to phishing, malware distribution, or data tampering. Update WordPress to the latest version to ensure proper URL validation.

What to do

Update stdlib to version 1.26.1.
Update golang to version 1.26.1.

Affected software

Vendor	Product	Affected versions	Fix available
–	stdlib	> 1.26.0-0 , <= 1.26.1	1.26.1
–	golang	> 1.26.0-0 , <= 1.26.1	1.26.1

Original title

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

Original description

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

https://go.dev/cl/752180
https://go.dev/issue/77578
https://nvd.nist.gov/vuln/detail/CVE-2026-25679 URL
https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk
https://pkg.go.dev/vuln/GO-2026-4601

Published: 6 Mar 2026 · Updated: 13 Mar 2026 · First seen: 7 Mar 2026