Skip to main content

Jetpack CVE-2023-2996

HIGH
2023-06-27 contact@wpscan.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Jun 27, 2023 - 14:15 nvd
HIGH 8.8

DescriptionNVD

The Jetpack WordPress plugin before 12.1.1 does not validate uploaded files, allowing users with author roles or above to manipulate existing files on the site, deleting arbitrary files, and in rare cases achieve Remote Code Execution via phar deserialization.

AnalysisAI

The Jetpack WordPress plugin before 12.1.1 does not validate uploaded files, allowing users with author roles or above to manipulate existing files on the site, deleting arbitrary files, and in rare. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

The Jetpack WordPress plugin before 12.1.1 does not validate uploaded files, allowing users with author roles or above to manipulate existing files on the site, deleting arbitrary files, and in rare cases achieve Remote Code Execution via phar deserialization. Affected products include: Automattic Jetpack. Version information: before 12.1.1.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2023-45050 MEDIUM POC
6.5 Nov 30

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic Jetpack

CVE-2023-54332 MEDIUM POC
6.1 Jan 13

Jetpack 11.4 contains a cross-site scripting vulnerability in the contact form module that allows attackers to inject ma

CVE-2024-10858 MEDIUM POC
6.1 Dec 25

The Jetpack WordPress plugin before 14.1 does not properly checks the postmessage origin in its 13.x versions, allowing

CVE-2024-10075 MEDIUM POC
5.6 May 15

The Jetpack WordPress plugin before 13.8 does not ensure that the post created by the Contact Form is only accessible to

CVE-2021-24374 MEDIUM POC
5.3 Jun 21

The Jetpack Carousel module of the JetPack WordPress plugin before 9.8 allows users to create a "carousel" type image ga

CVE-2024-9926 MEDIUM POC
4.3 Nov 07

The Jetpack WordPress plugin does not have proper authorisation in one of its REST endpoint, allowing any authenticated

CVE-2024-4392 MEDIUM
6.4 May 14

The Jetpack - WP Security, Backup, Speed, & Growth plugin for WordPress is vulnerable to Stored Cross-Site Scripting via

CVE-2024-10076 MEDIUM
5.9 May 15

The Jetpack WordPress plugin before 13.8, Jetpack Boost WordPress plugin before 3.4.8 use regexes in the Site Accelerato

CVE-2014-0173 MEDIUM
5.8 Apr 22

The Jetpack plugin before 1.9 before 1.9.4, 2.0.x before 2.0.9, 2.1.x before 2.1.4, 2.2.x before 2.2.7, 2.3.x before 2.3

CVE-2023-47774 MEDIUM
5.4 Apr 24

Improper Restriction of Rendered UI Layers or Frames vulnerability in Automattic Jetpack allows Clickjacking.7. Rated me

Share

CVE-2023-2996 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy