The Jetpack WordPress plugin before 12.1.1 does not validate uploaded files, allowing users with author roles or above to manipulate existing files on the site, deleting arbitrary files, and in rare cases achieve Remote Code Execution via phar deserialization.
References
Link | Resource |
---|---|
https://jetpack.com/blog/jetpack-12-1-1-critical-security-update/ | Vendor Advisory |
https://wpscan.com/vulnerability/52d221bd-ae42-435d-a90a-60a5ae530663 | Exploit Third Party Advisory |
Configurations
History
07 Nov 2023, 04:13
Type | Values Removed | Values Added |
---|---|---|
CWE |
03 Jul 2023, 19:26
Type | Values Removed | Values Added |
---|---|---|
First Time |
Automattic jetpack
Automattic |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
CPE | cpe:2.3:a:automattic:jetpack:*:*:*:*:*:wordpress:*:* | |
References | (MISC) https://jetpack.com/blog/jetpack-12-1-1-critical-security-update/ - Vendor Advisory | |
References | (MISC) https://wpscan.com/vulnerability/52d221bd-ae42-435d-a90a-60a5ae530663 - Exploit, Third Party Advisory |
27 Jun 2023, 14:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-06-27 14:15
Updated : 2024-02-28 20:13
NVD link : CVE-2023-2996
Mitre link : CVE-2023-2996
CVE.ORG link : CVE-2023-2996
JSON object : View
Products Affected
automattic
- jetpack
CWE
No CWE.