CVE-2024-10075 β€” Authorization Bypass Through User-Controlled Key in Jetpack

CWE-639 β€” Authorization Bypass Through User-Controlled Key3 documents3 sources
Severity
5.6MEDIUMNVD
EPSS
0.3%
top 48.93%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Automattic Jetpack
Timeline
PublishedMay 15

Description

The Jetpack WordPress plugin before 13.8 does not ensure that the post created by the Contact Form is only accessible to authorised users, which could allow unauthenticated users to run arbitrary shortcodes and block.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 2.2 | Impact: 3.4

Affected Packages1 packages

β–ΆNVDautomattic/jetpack< 13.8

πŸ”΄Vulnerability Details

2
CVEList
Jetpack < 13.8 - Unauthenticated Arbitrary Block & Shortcode Execution↗2025-05-15
β–Ά
GHSA
GHSA-cg9w-78cc-f78x: The Jetpack WordPress plugin before 13β†—2025-05-15
β–Ά
CVE-2024-10075 β€” Automattic Jetpack vulnerability | cvebase