Cross-Site Scripting in Jetpack Plugin for WordPress
CVE-2016-10706

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: Jetpack
Vendor: CVE Published:; 12 January 2018

Summary

The Jetpack plugin for WordPress versions prior to 4.0.3 is susceptible to a Cross-Site Scripting (XSS) vulnerability that can be exploited via a specially crafted Vimeo link. When an unprivileged user submits such a link, the malicious script can execute in the context of the browsing session. This could lead to unauthorized actions being performed on behalf of the user or exposure of sensitive data. It is critical for users of the Jetpack plugin to upgrade to at least version 4.0.3 to mitigate this risk.

References

https://jetpack.com/2016/05/27/jetpack-4-0-3-critical-sec...

x_refsource_MISC

https://www.wordfence.com/blog/2016/05/jetpack-vulnerabil...

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability Reserved
Oct 3, 2022
Vulnerability published
Jan 12, 2018