CVE-2024-3940

The reCAPTCHA Jetpack WordPress plugin through 0.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

WordPress Jetpack plugin <= 13.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpvideo Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via wpvideo Shortcode vulnerability discovered by wesley wcraft in WordPress Plugin Jetpack versions = 13.3.1...

WordPress plugin Jetpack 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...

Automattic: DOM XSS on multiple Automattic domains through postMessages

A DOM XSS vulnerability was found on widgets.wp.com allowing injection of scripts into the DOM. This was combined with a vulnerability in the Jetpack WordPress plugin where postMessages from widgets.wp.com were used to populate avatar URLs without validation, leading to DOM XSS on WordPress sites...

CVE-2023-45050 WordPress Jetpack Plugin <= 12.8-a.1 is vulnerable to Cross Site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Automattic Jetpack – WP Security, Backup, Speed, & Growth allows Stored XSS.This issue affects Jetpack – WP Security, Backup, Speed, & Growth: from n/a through 12.8-a.1...

Jetpack < 12.7 - Authenticated(Contributor+) Clickjacking via Iframe Injection

Description The Jetpack – WP Security, Backup, Speed, & Growth plugin for WordPress is vulnerable to Clickjacking via iframe injection due to an unknown parameter in all versions up to and including 12.6.2 due to insufficient input sanitization and output escaping. This makes it possible for...

WordPress Jetpack Plugin < 12.7 is vulnerable to Broken Access Control

Software Jetpack Type Plugin Vulnerable versions 12.7 Fixed in 12.7 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2023-47788 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID 78da756327ec Credits Rafie Muhammad Patchstack Required...

WordPress Jetpack Plugin < 12.7 is vulnerable to Clickjacking

Software Jetpack Type Plugin Vulnerable versions 12.7 Fixed in 12.7 OWASP Top 10 A3: Injection Classification Clickjacking CVE CVE-2023-47774 Patch priority Low CVSS severity Low 5.4 Developer Claim ownership PSID 18fefcc21cac Credits Rafie Muhammad Patchstack Required privilege Contributor...

WordPress Jetpack Plugin <= 12.8-a.1 is vulnerable to Cross Site Scripting (XSS)

Software Jetpack Type Plugin Vulnerable versions = 12.8-a.1 Fixed in 12.8-a.3 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2023-45050 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 8bdf519cb2b8 Credits Rafie Muhammad Patchstack Required...

Deserialization of untrusted data

The Jetpack WordPress plugin before 12.1.1 does not validate uploaded files, allowing users with author roles or above to manipulate existing files on the site, deleting arbitrary files, and in rare cases achieve Remote Code Execution via phar deserialization...

CVE-2023-2996 Jetpack < 12.1.1 - Author+ Arbitrary File Manipulation via API

The Jetpack WordPress plugin before 12.1.1 does not validate uploaded files, allowing users with author roles or above to manipulate existing files on the site, deleting arbitrary files, and in rare cases achieve Remote Code Execution via phar deserialization...

WordPress plugin Jetpack 输入验证错误漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. An input validation error vulnerabilit...

PT-2023-22496 · WordPress · Jetpack

Name of the Vulnerable Software and Affected Versions: Jetpack WordPress plugin versions prior to 12.1.1 Description: The issue allows users with author roles or above to manipulate existing files on the site, including deleting arbitrary files. In rare cases, it can also lead to Remote Code...

WordPress JetPack Plugin Arbitrary File Manipulation Vulnerability (CVE-2023-2996)

The WordPress plugin SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:automattic:jetpack"; if description...

Urgent WordPress Update Fixes Critical Flaw in Jetpack Plugin on Million of Sites

WordPress has issued an automatic update to address a critical flaw in the Jetpack plugin that's installed on over five million sites. The vulnerability, which was unearthed during an internal security audit, resides in an API present in the plugin since version 2.0, which was released in Novembe...

Urgent WordPress Update Fixes Critical Flaw in Jetpack Plugin on Million of Sites

WordPress has issued an automatic update to address a critical flaw in the Jetpack plugin that's installed on over five million sites. The vulnerability, which was unearthed during an internal security audit, resides in an API present in the plugin since version 2.0, which was released in Novembe...

Jetpack < 12.1.1 - Author+ Arbitrary File Manipulation via API

The plugin does not validate uploaded files, allowing users with author roles or above to manipulate existing files on the site, deleting arbitrary files, and in rare cases achieve Remote Code Execution via phar deserialization. PoC curl --json ' "media": "tmpname": "/WPCONTENTPATH/wp-config.php"...

WordPress Jetpack Plugin <= 12.1 is vulnerable to Broken Access Control

Software Jetpack Type Plugin Vulnerable versions = 12.1 Fixed in 12.1.1 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE N/A Patch priority High CVSS severity High 9 Developer Claim ownership PSID e45930af254c Credits Jetpack Required privilege Author Published 30...

WordPress Jetpack 11.4 Cross Site Scripting

Exploit Title: Jetpack 11.4 - Cross Site Scripting XSS Date: 2022-10-19 Author: Behrouz Mansoori Software Link: https://wordpress.org/plugins/jetpack Version: 11.4 Tested on: Mac m1 CVE: N/A 1. Description: This plugin creates a Jetpack from any post types. The slider import search feature and ta...

Jetpack 11.4 - Cross Site Scripting Vulnerability

Exploit Title: Jetpack 11.4 - Cross Site Scripting XSS Author: Behrouz Mansoori Software Link: https://wordpress.org/plugins/jetpack Version: 11.4 Tested on: Mac m1 CVE: N/A 1. Description: This plugin creates a Jetpack from any post types. The slider import search feature and tab parameter via...