DOM-Based Cross-Site Scripting Vulnerability in Jetpack Plugin for WordPress
CVE-2024-10858

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: Jetpack
Vendor: CVE Published:; 25 December 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The Jetpack plugin for WordPress, specifically versions prior to 14.1, is susceptible to a serious flaw that allows for DOM-based Cross-Site Scripting (XSS) attacks. This vulnerability arises from the plugin's failure to adequately verify the origin of post messages in its 13.x versions. Attackers can exploit this weakness to bypass security checks, potentially leading to the execution of malicious scripts on affected websites. This issue is significant for users of WordPress.com, as the affected environment facilitates these types of exploits without proper user consent or awareness. Website administrators using the plugin must update to the latest version to mitigate any risks associated with this vulnerability.

Affected Version(s)

Jetpack 13.0 < 14.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-10858 - Proof of Concept

References

https://wpscan.com/vulnerability/7fecba37-d718-4dd4-89f3-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

🟡
Public PoC available
Dec 25, 2024
👾
Exploit known to exist
Dec 25, 2024
Vulnerability published
Dec 25, 2024
Vulnerability Reserved
Nov 5, 2024

Credit

Eldar (hakupiku)

WPScan