When running Google Lighthouse tests for Best Practices, WordPress users can run into a 7 point deduction for Includes front-end JavaScript libraries with known security vulnerabilities
. If everything else is order on your site for Best Practices, you'll probably have a score of 93:
The associated directive is, "Some third-party scripts may contain known security vulnerabilities that are easily identified and exploited by attackers. Learn more."
You may be tempted to think this is coming from a plugin or your theme (which is still worth checking), but WordPress Core actually contains this Jquery script. Version 1.12.4 was released way back in May, 2016. WordPress has since patched it with [email protected]
, but there are a bunch of reasons that might cause the wrong old, unpatched version to load instead.
The 2 exploits that Google's Best Practices are referring to pertaining to this core script are Cross-site Scripting (XSS)
(when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source, read the full report here) and Prototype Pollution
(the ability to inject properties into existing JavaScript language construct prototypes, such as objects, read the full report here)
Why doesn't WordPress Core just update to the latest JQuery version? Unfortunately, it's not backwards compatible with 1.12.4 so forcing an update will cause lots of sites to break. There is an ongoing discussion here that tracks when the upgrade should take place within WordPress Core.
WARNING: If you have some older dependencies, using the following plugin may cause JS errors in your console and certain site functionality to stop so be sure to try it out on a staging copy of your site first or at least when you're at a low traffic time.
Thankfully, you don't have to wait. You can use a free plugin to update just that JS without having to get dirty with your site code. The plugin is called jQuery Manager for WordPress. Just install that and ensure the latest (default) version is enabled (jquery-3.4.1.js.min at the time of writing):
While you're here, you can ensure the same upgrade for jQuery Migrate settings (the second tab):