CVE-2024-10858

CWE-79Cross-site Scripting (XSS)3 documents3 sources
Severity
6.1MEDIUM
EPSS
0.0%
top 89.09%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown JetpackAutomattic Jetpack
Timeline
PublishedDec 25

Description

The Jetpack WordPress plugin before 14.1 does not properly checks the postmessage origin in its 13.x versions, allowing it to be bypassed and leading to DOM-XSS. The issue only affects websites hosted on WordPress.com.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

CVEListV5unknown/jetpack13.014.1
NVDautomattic/jetpack< 14.1

🔴Vulnerability Details

2
CVEList
Jetpack 13.0-14.0 - Unauthenticated DOM-XSS2024-12-25
GHSA
GHSA-pjm4-fjw9-x2fh: The Jetpack WordPress plugin before 142024-12-25
CVE-2024-10858 (MEDIUM CVSS 6.1) | The Jetpack WordPress plugin before | cvebase.io