Skip to main content

Jetpack CVE-2023-45050

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2023-11-30 audit@patchstack.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
CVE Published
Nov 30, 2023 - 12:15 cve.org
MEDIUM 6.5

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic Jetpack - WP Security, Backup, Speed, & Growth allows Stored XSS.This issue affects Jetpack - WP Security, Backup, Speed, & Growth: from n/a through 12.8-a.1.

AnalysisAI

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic Jetpack - WP Security, Backup, Speed, & Growth allows Stored XSS.8-a.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic Jetpack - WP Security, Backup, Speed, & Growth allows Stored XSS.8-a.1. Affected products include: Automattic Jetpack. Version information: through 12.8.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2023-2996 HIGH POC
8.8 Jun 27

The Jetpack WordPress plugin before 12.1.1 does not validate uploaded files, allowing users with author roles or above t

CVE-2023-54332 MEDIUM POC
6.1 Jan 13

Jetpack 11.4 contains a cross-site scripting vulnerability in the contact form module that allows attackers to inject ma

CVE-2024-10858 MEDIUM POC
6.1 Dec 25

The Jetpack WordPress plugin before 14.1 does not properly checks the postmessage origin in its 13.x versions, allowing

CVE-2024-10075 MEDIUM POC
5.6 May 15

The Jetpack WordPress plugin before 13.8 does not ensure that the post created by the Contact Form is only accessible to

CVE-2021-24374 MEDIUM POC
5.3 Jun 21

The Jetpack Carousel module of the JetPack WordPress plugin before 9.8 allows users to create a "carousel" type image ga

CVE-2024-9926 MEDIUM POC
4.3 Nov 07

The Jetpack WordPress plugin does not have proper authorisation in one of its REST endpoint, allowing any authenticated

CVE-2024-4392 MEDIUM
6.4 May 14

The Jetpack - WP Security, Backup, Speed, & Growth plugin for WordPress is vulnerable to Stored Cross-Site Scripting via

CVE-2024-10076 MEDIUM
5.9 May 15

The Jetpack WordPress plugin before 13.8, Jetpack Boost WordPress plugin before 3.4.8 use regexes in the Site Accelerato

CVE-2014-0173 MEDIUM
5.8 Apr 22

The Jetpack plugin before 1.9 before 1.9.4, 2.0.x before 2.0.9, 2.1.x before 2.1.4, 2.2.x before 2.2.7, 2.3.x before 2.3

CVE-2023-47774 MEDIUM
5.4 Apr 24

Improper Restriction of Rendered UI Layers or Frames vulnerability in Automattic Jetpack allows Clickjacking.7. Rated me

Share

CVE-2023-45050 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy