CVE-2024-9926

MEDIUM LAB

Jetpack WordPress - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2024-9926. PoCs published by m3ssap0.

AI-analyzed exploit summary This is a Python-based exploit for CVE-2024-9926, a broken access control vulnerability in WordPress Jetpack versions before 13.9.1. It allows authenticated users to read forms submitted by visitors via an unauthorized REST API endpoint.

Description

The Jetpack WordPress plugin does not have proper authorisation in one of its REST endpoint, allowing any authenticated users, such as subscriber to read arbitrary feedbacks data sent via the Jetpack Contact Form

Exploits (2)

nomisec WORKING POC 3 stars
by m3ssap0 · poc
https://github.com/m3ssap0/wordpress-jetpack-broken-access-control-exploit

This is a Python-based exploit for CVE-2024-9926, a broken access control vulnerability in WordPress Jetpack versions before 13.9.1. It allows authenticated users to read forms submitted by visitors via an unauthorized REST API endpoint.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: WordPress Jetpack < 13.9.1
Auth required
Prerequisites: Valid WordPress username · Valid WordPress application password · Target running vulnerable Jetpack version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by m3ssap0 · poc
https://github.com/m3ssap0/wordpress-jetpack-broken-access-control-vulnerable-application

This repository provides a vulnerable WordPress environment with Jetpack < 13.9.1 to test CVE-2024-9926, a broken access control vulnerability allowing logged-in users to read submitted forms via REST API endpoints. The PoC includes setup scripts and documentation for exploitation.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: WordPress Jetpack < 13.9.1
Auth required
Prerequisites: Docker · WordPress with Jetpack < 13.9.1 · Logged-in user credentials
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit, Third Party Advisory exploit vdb-entry technical-description
https://wpscan.com/vulnerability/669382af-f836-4896-bdcb-5c6a57c99bd9/

Scores

CVSS v3 4.3
EPSS 0.0115
EPSS Percentile 62.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Lab Environment

COMMUNITY
Community Lab
docker pull wordpress:6.6.2

Details

Status published
Products (6)
automattic/jetpack 13.0
automattic/jetpack 13.5
automattic/jetpack 13.6
automattic/jetpack 13.7
automattic/jetpack 13.9
automattic/jetpack 13.1 - 13.1.4
Published Nov 07, 2024
Tracked Since Feb 18, 2026