WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Jetpack < 9.8 - Carousel Module Non-Published Page/Post Attachment Comment Leak

Description

The Jetpack Carousel module allows users to create a "carousel" type image gallery and allows users to comment on the images.

A security vulnerability was found within the Jetpack Carousel module by nguyenhg_vcs that allowed the comments of non-published page/posts to be leaked.

Please refer to the Proof of Concept (PoC) of this vulnerability for further technical details.

Proof of Concept

By changing the "id" parameter of the POST request to a valid media attachment id on a page/post that was not public, it was possible to leak the non-public comments.

http://example.com/wp-admin/admin-ajax.php?action=get_attachment_comments&nonce=4aadefa6ee&id=28&offset=0

Affects Plugins

jetpack
Fixed in version 9.8

References

CVE
CVE-2021-24374
URL
https://jetpack.com/2021/06/01/jetpack-9-8-engage-your-audience-with-wordpress-stories/
URL
https://plugins.trac.wordpress.org/changeset/2541817/jetpack

Classification

Type

IDOR

OWASP top 10
A5: Broken Access Control
CWE
CWE-639

Miscellaneous

Original Researcher

nguyenhg_vcs

Submitter

Jetpack Scan

Verified

Yes

WPVDB ID
08a8a51c-49d3-4bce-b7e0-e365af1d8f33

Timeline

Publicly Published

2021-06-03 (about 2 years ago)

Added

2021-06-03 (about 2 years ago)

Last Updated

2022-01-04 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin