CVE-2022-50958

MEDIUM

WordPress Plugin Jetpack 9.1 Cross Site Scripting via grunion-form-view.php

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-50958. PoCs published by Milad karimi.

AI-analyzed exploit summary The exploit demonstrates a reflected XSS vulnerability in WordPress Plugin Jetpack 9.1 by injecting a malicious script via the 'post_id' parameter in the 'grunion-form-view.php' endpoint. The PoC provides a direct URL with a payload that triggers an alert dialog, confirming the vulnerability.

Description

WordPress Plugin Jetpack 9.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the post_id parameter. Attackers can craft URLs to the grunion-form-view.php endpoint with script payloads in the post_id parameter to execute arbitrary JavaScript in victim browsers.

Exploits (1)

exploitdb WORKING POC
by Milad karimi · textwebappsphp
https://www.exploit-db.com/exploits/50735

The exploit demonstrates a reflected XSS vulnerability in WordPress Plugin Jetpack 9.1 by injecting a malicious script via the 'post_id' parameter in the 'grunion-form-view.php' endpoint. The PoC provides a direct URL with a payload that triggers an alert dialog, confirming the vulnerability.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: WordPress Plugin Jetpack 9.1
No auth needed
Prerequisites: Access to the vulnerable endpoint · Victim interaction to click the crafted URL
devstral-2 · analyzed May 10, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit exploit
ExploitDB-50735
https://www.exploit-db.com/exploits/50735
Product product
Product Reference
https://wordpress.org/plugins/jetpack
Third Party Advisory third-party-advisory
VulnCheck Advisory: WordPress Plugin Jetpack 9.1 Cross Site Scripting via grunion-form-view.php
https://www.vulncheck.com/advisories/wordpress-plugin-jetpack-cross-site-scripting-via-grunion-form-view-php

Scores

CVSS v3 6.1
EPSS 0.0020
EPSS Percentile 10.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
jetpack/Jetpack 9.1
Published May 10, 2026
Tracked Since May 10, 2026