← Back

CVE-2024-10076

nvd nist
Published: May 15, 2025Modified: Jun 4, 2025

JSON object

Loading...
5.9
Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Exploitability: 1.7 / Impact: 3.7
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

The Jetpack WordPress plugin before 13.8, Jetpack Boost WordPress plugin before 3.4.8 use regexes in the Site Accelerator features when switching image URLs to their CDN counterpart. Unfortunately, some of them may match patterns it shouldn’t, ultimately making it possible for contributor and above users to perform Stored XSS attacks

Affected (2)

Automattic
2 products
Jetpack
Jetpack Boost
Configuration A
2 vulnerable
Vulnerable SoftwareAffected Versions
Jetpack
Before 13.8
Jetpack Boost
Before 3.4.8

Related CWEs

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

Source: contact@wpscan.com
Third Party Advisory
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Third Party Advisory

Timeline

No history available yet.