← back
CVE-2024-9926

Jetpack < 13.9.1 - Subscriber+ Arbitrary Feedback Access

CVSS 4.3 MEDIUMEPSS 1.1%
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 4.3EPSS 1.1%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
07 Nov 2024Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The Jetpack WordPress plugin does not have proper authorisation in one of its REST endpoint, allowing any authenticated users, such as subscriber to read arbitrary feedbacks data sent via the Jetpack Contact Form
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Affected products
Unknown · Jetpack

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://wpscan.com/vulnerability/669382af-f836-4896-bdcb-5c6a57c99bd9/