CVE-2024-10858

MEDIUM

Jetpack < 14.1 - DOM-Based Cross-Site Scripting via PostMessage Origin Bypass

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-10858. PoCs published by iamarit.

Description

The Jetpack WordPress plugin before 14.1 does not properly checks the postmessage origin in its 13.x versions, allowing it to be bypassed and leading to DOM-XSS. The issue only affects websites hosted on WordPress.com.

Exploits (1)

nomisec NO CODE

by iamarit · poc

https://github.com/iamarit/CVE-2024-10858

View Code ZIP pw:eip

References (1)

Core 1

Core References

Exploit, Third Party Advisory exploit vdb-entry technical-description

https://wpscan.com/vulnerability/7fecba37-d718-4dd4-89f3-285fb36a4165/

Scores

CVSS v3 6.1

EPSS 0.0032

EPSS Percentile 23.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

automattic/jetpack < 14.1

Published Dec 25, 2024

Tracked Since Feb 18, 2026