Skip to main content

Jetpack CVE-2024-9926

MEDIUM
2024-11-07 contact@wpscan.com
4.3
CVSS 3.1 · Vendor: wpscan
Share

Severity by source

Vendor (wpscan) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from Vendor (wpscan) · only source for this CVE.

CVSS VectorVendor: wpscan

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Nov 07, 2024 - 15:15 cve.org
MEDIUM 4.3

DescriptionCVE.org

The Jetpack WordPress plugin does not have proper authorisation in one of its REST endpoint, allowing any authenticated users, such as subscriber to read arbitrary feedbacks data sent via the Jetpack Contact Form

AnalysisAI

The Jetpack WordPress plugin does not have proper authorisation in one of its REST endpoint, allowing any authenticated users, such as subscriber to read arbitrary feedbacks data sent via the Jetpack. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

The Jetpack WordPress plugin does not have proper authorisation in one of its REST endpoint, allowing any authenticated users, such as subscriber to read arbitrary feedbacks data sent via the Jetpack Contact Form Affected products include: Automattic Jetpack.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2023-2996 HIGH POC
8.8 Jun 27

The Jetpack WordPress plugin before 12.1.1 does not validate uploaded files, allowing users with author roles or above t

CVE-2023-45050 MEDIUM POC
6.5 Nov 30

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic Jetpack

CVE-2023-54332 MEDIUM POC
6.1 Jan 13

Jetpack 11.4 contains a cross-site scripting vulnerability in the contact form module that allows attackers to inject ma

CVE-2024-10858 MEDIUM POC
6.1 Dec 25

The Jetpack WordPress plugin before 14.1 does not properly checks the postmessage origin in its 13.x versions, allowing

CVE-2024-10075 MEDIUM POC
5.6 May 15

The Jetpack WordPress plugin before 13.8 does not ensure that the post created by the Contact Form is only accessible to

CVE-2021-24374 MEDIUM POC
5.3 Jun 21

The Jetpack Carousel module of the JetPack WordPress plugin before 9.8 allows users to create a "carousel" type image ga

CVE-2024-4392 MEDIUM
6.4 May 14

The Jetpack - WP Security, Backup, Speed, & Growth plugin for WordPress is vulnerable to Stored Cross-Site Scripting via

CVE-2024-10076 MEDIUM
5.9 May 15

The Jetpack WordPress plugin before 13.8, Jetpack Boost WordPress plugin before 3.4.8 use regexes in the Site Accelerato

CVE-2014-0173 MEDIUM
5.8 Apr 22

The Jetpack plugin before 1.9 before 1.9.4, 2.0.x before 2.0.9, 2.1.x before 2.1.4, 2.2.x before 2.2.7, 2.3.x before 2.3

CVE-2023-47774 MEDIUM
5.4 Apr 24

Improper Restriction of Rendered UI Layers or Frames vulnerability in Automattic Jetpack allows Clickjacking.7. Rated me

Share

CVE-2024-9926 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy