Jetpack < 9.8 - Carousel Module Non-Published Page/Post Attachment Comment Leak
CVE-2021-24374

5.3MEDIUM

Key Information:

Vendor: Wordpress
Status: Jetpack – WP Security, Backup, Speed, & Growth
Vendor: CVE Published:; 21 June 2021

Summary

The Jetpack Carousel module of the JetPack WordPress plugin before 9.8 allows users to create a "carousel" type image gallery and allows users to comment on the images. A security vulnerability was found within the Jetpack Carousel module by nguyenhg_vcs that allowed the comments of non-published page/posts to be leaked.

Affected Version(s)

Jetpack – WP Security, Backup, Speed, & Growth 9.8

References

https://wpscan.com/vulnerability/08a8a51c-49d3-4bce-b7e0-...

x_refsource_CONFIRM

https://jetpack.com/2021/06/01/jetpack-9-8-engage-your-au...

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 21, 2021
Vulnerability Reserved
Jan 14, 2021

Credit

nguyenhg_vcs