CVE-2023-2996

CWE-20Improper Input Validation3 documents3 sources
Severity
8.8HIGH
EPSS
3.3%
top 12.68%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown JetpackAutomattic Jetpack
Timeline
PublishedJun 27

Description

The Jetpack WordPress plugin before 12.1.1 does not validate uploaded files, allowing users with author roles or above to manipulate existing files on the site, deleting arbitrary files, and in rare cases achieve Remote Code Execution via phar deserialization.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

CVEListV5unknown/jetpack1.92.0.9+101
NVDautomattic/jetpack< 12.1.1

🔴Vulnerability Details

2
GHSA
GHSA-qhhp-34vh-xjwv: The Jetpack WordPress plugin before 122023-06-27
CVEList
Jetpack < 12.1.1 - Author+ Arbitrary File Manipulation via API2023-06-27
CVE-2023-2996 (HIGH CVSS 8.8) | The Jetpack WordPress plugin before | cvebase.io