CVE-2024-10076Cross-site Scripting in Jetpack

CWE-79Cross-site Scripting3 documents3 sources
Severity
5.9MEDIUMNVD
EPSS
0.2%
top 61.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Automattic JetpackAutomattic Jetpack Boost
Timeline
PublishedMay 15

Description

The Jetpack WordPress plugin before 13.8, Jetpack Boost WordPress plugin before 3.4.8 use regexes in the Site Accelerator features when switching image URLs to their CDN counterpart. Unfortunately, some of them may match patterns it shouldn’t, ultimately making it possible for contributor and above users to perform Stored XSS attacks

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:LExploitability: 1.7 | Impact: 3.7

Affected Packages2 packages

NVDautomattic/jetpack< 13.8

🔴Vulnerability Details

2
GHSA
GHSA-wj5c-qqg6-p7qc: The Jetpack WordPress plugin before 132025-05-15
CVEList
Jetpack < 13.8, Boost < 3.4.8 - Contributor+ Stored XSS2025-05-15
CVE-2024-10076 — Cross-site Scripting in Jetpack | cvebase