CVE-2024-9926

MEDIUM LAB

Jetpack WordPress - Info Disclosure

Title source: llm

Description

The Jetpack WordPress plugin does not have proper authorisation in one of its REST endpoint, allowing any authenticated users, such as subscriber to read arbitrary feedbacks data sent via the Jetpack Contact Form

Exploits (2)

nomisec WORKING POC 3 stars

by m3ssap0 · poc

https://github.com/m3ssap0/wordpress-jetpack-broken-access-control-exploit

View Code ZIP pw:eip

nomisec WORKING POC 2 stars

by m3ssap0 · poc

https://github.com/m3ssap0/wordpress-jetpack-broken-access-control-vulnerable-application

View Code ZIP pw:eip

References (1)

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/669382af-f836-4896-bdcb-5c6a57c99bd9/

Scores

CVSS v3 4.3

EPSS 0.2280

EPSS Percentile 95.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Lab Environment

COMMUNITY

Community Lab

docker pull wordpress:6.6.2

https://github.com/m3ssap0/wordpress-jetpack-broken-access-control-vulnerable-application

https://github.com/m3ssap0/wordpress-jetpack-broken-access-control-exploit

View in Library

Details

Status published

Products (6)

automattic/jetpack 13.0

automattic/jetpack 13.5

automattic/jetpack 13.6

automattic/jetpack 13.7

automattic/jetpack 13.9

automattic/jetpack 13.1 - 13.1.4

Published Nov 07, 2024

Tracked Since Feb 18, 2026