WordPress Plugin Vulnerabilities

Jetpack < 9.8 - Carousel Module Non-Published Page/Post Attachment Comment Leak

Description

The Jetpack Carousel module allows users to create a "carousel" type image gallery and allows users to comment on the images.

A security vulnerability was found within the Jetpack Carousel module by nguyenhg_vcs that allowed the comments of non-published page/posts to be leaked.

Please refer to the Proof of Concept (PoC) of this vulnerability for further technical details.

Proof of Concept

By changing the "id" parameter of the POST request to a valid media attachment id on a page/post that was not public, it was possible to leak the non-public comments.

http://example.com/wp-admin/admin-ajax.php?action=get_attachment_comments&nonce=4aadefa6ee&id=28&offset=0

Affects Plugins

Plugin icon
jetpack
Fixed in 9.8

References

CVE
CVE-2021-24374
URL
https://jetpack.com/2021/06/01/jetpack-9-8-engage-your-audience-with-wordpress-stories/
URL
https://plugins.trac.wordpress.org/changeset/2541817/jetpack

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
nguyenhg_vcs
Submitter
Jetpack Scan
Verified
Yes
WPVDB ID
08a8a51c-49d3-4bce-b7e0-e365af1d8f33

Timeline

Publicly Published
2021-06-03 (about 2 years ago)
Added
2021-06-03 (about 2 years ago)
Last Updated
2022-01-04 (about 1 years ago)

Other

Published
Title
Published
2021-03-31
Title
Realteo < 1.2.4 - Arbitrary Property Deletion via IDOR
Published
2023-05-15
Title
WooCommerce Ship to Multiple Addresses < 3.8.4 - Subscriber+ Shipping Address Disclosure via IDOR
Published
2022-09-26
Title
wpForo Forum < 2.0.6 - Subscriber+ Forum Post Set as Solved/Unsolved via IDOR
Published
2020-06-27
Title
Advanced Forms < 1.6.9 - Subscriber+ Arbitrary User Email Address Update via IDOR
Published
2023-10-22
Title
wpDiscuz < 7.6.4 - Author+ IDOR