Skip to main content

Jetpack CVE-2021-24374

MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2021-06-21 contact@wpscan.com
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Jun 21, 2021 - 20:15 nvd
MEDIUM 5.3

DescriptionNVD

The Jetpack Carousel module of the JetPack WordPress plugin before 9.8 allows users to create a "carousel" type image gallery and allows users to comment on the images. A security vulnerability was found within the Jetpack Carousel module by nguyenhg_vcs that allowed the comments of non-published page/posts to be leaked.

AnalysisAI

The Jetpack Carousel module of the JetPack WordPress plugin before 9.8 allows users to create a "carousel" type image gallery and allows users to comment on the images. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-639. The Jetpack Carousel module of the JetPack WordPress plugin before 9.8 allows users to create a "carousel" type image gallery and allows users to comment on the images. A security vulnerability was found within the Jetpack Carousel module by nguyenhg_vcs that allowed the comments of non-published page/posts to be leaked. Affected products include: Automattic Jetpack. Version information: before 9.8.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2023-2996 HIGH POC
8.8 Jun 27

The Jetpack WordPress plugin before 12.1.1 does not validate uploaded files, allowing users with author roles or above t

CVE-2023-45050 MEDIUM POC
6.5 Nov 30

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic Jetpack

CVE-2023-54332 MEDIUM POC
6.1 Jan 13

Jetpack 11.4 contains a cross-site scripting vulnerability in the contact form module that allows attackers to inject ma

CVE-2024-10858 MEDIUM POC
6.1 Dec 25

The Jetpack WordPress plugin before 14.1 does not properly checks the postmessage origin in its 13.x versions, allowing

CVE-2024-10075 MEDIUM POC
5.6 May 15

The Jetpack WordPress plugin before 13.8 does not ensure that the post created by the Contact Form is only accessible to

CVE-2024-9926 MEDIUM POC
4.3 Nov 07

The Jetpack WordPress plugin does not have proper authorisation in one of its REST endpoint, allowing any authenticated

CVE-2024-4392 MEDIUM
6.4 May 14

The Jetpack - WP Security, Backup, Speed, & Growth plugin for WordPress is vulnerable to Stored Cross-Site Scripting via

CVE-2024-10076 MEDIUM
5.9 May 15

The Jetpack WordPress plugin before 13.8, Jetpack Boost WordPress plugin before 3.4.8 use regexes in the Site Accelerato

CVE-2014-0173 MEDIUM
5.8 Apr 22

The Jetpack plugin before 1.9 before 1.9.4, 2.0.x before 2.0.9, 2.1.x before 2.1.4, 2.2.x before 2.2.7, 2.3.x before 2.3

CVE-2023-47774 MEDIUM
5.4 Apr 24

Improper Restriction of Rendered UI Layers or Frames vulnerability in Automattic Jetpack allows Clickjacking.7. Rated me

Share

CVE-2021-24374 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy