CVE-2024-9926

Published: Nov 7, 2024Modified: May 28, 2025

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Exploitability: 2.8 / Impact: 1.4

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

The Jetpack WordPress plugin does not have proper authorisation in one of its REST endpoint, allowing any authenticated users, such as subscriber to read arbitrary feedbacks data sent via the Jetpack Contact Form

Affected (10)

Products: Automattic: Jetpack

Automattic

1 product

Jetpack

Configuration A

10 vulnerable

Vulnerable Software	Affected Versions
Automattic Jetpack	From 13.1 to 13.1.4
Automattic Jetpack	From 13.2 to 13.2.3
Automattic Jetpack	From 13.3 to 13.3.2
Automattic Jetpack	From 13.4 to 13.4.4
Automattic Jetpack	From 13.8 to 13.8.2
Automattic Jetpack	Version 13.0
Automattic Jetpack	Version 13.5
Automattic Jetpack	Version 13.6
Automattic Jetpack	Version 13.7
Automattic Jetpack	Version 13.9

References (1)

https://wpscan.com/vulnerability/669382af-f836-4896-bdcb-5c6a57c99bd9/

Source: contact@wpscan.com

ExploitThird Party Advisory

Timeline

No history available yet.