Jetpack < 13.9.1 – Subscriber+ Arbitrary Feedback Access | CVE 2024-9926 | Plugin Vulnerabilities

Description

The plugin does not have proper authorisation in one of its REST endpoint, allowing any authenticated users, such as subscriber to read arbitrary feedbacks data sent via the Jetpack Contact Form

Proof of Concept

Run the below command in the web console of the web browser when logged in on the blog as a subscriber:

wp.apiFetch( { path: 'wp/v2/feedback' } ).then( data => console.log( data ) );

Affects Plugins

Fixed in 13.9.1

Fixed in 13.8.2

Fixed in 13.7.1

Fixed in 13.6.1

Fixed in 13.5.1

Fixed in 13.4.4

Fixed in 13.3.2

Fixed in 13.2.3

Fixed in 13.1.4

Fixed in 13.0.1

Fixed in 12.9.4

Fixed in 12.8.2

Fixed in 12.7.2

Fixed in 12.6.3

Fixed in 12.5.1

Fixed in 12.4.1

Fixed in 12.3.1

Fixed in 12.2.2

Fixed in 12.1.2

Fixed in 12.0.2

Fixed in 11.9.3

Fixed in 11.8.6

Fixed in 11.7.3

Fixed in 11.6.2

Fixed in 11.5.3

Fixed in 11.4.2

Fixed in 11.3.4

Fixed in 11.2.2

Fixed in 11.1.4

Fixed in 11.0.2

Fixed in 10.9.3

Fixed in 10.8.2

Fixed in 10.7.2

Fixed in 10.6.2

Fixed in 10.5.3

Fixed in 10.4.2

Fixed in 10.3.2

Fixed in 10.2.3

Fixed in 10.1.2

Fixed in 10.0.2

Fixed in 9.9.3

Fixed in 9.8.3

Fixed in 9.7.3

Fixed in 9.6.4

Fixed in 9.5.5

Fixed in 9.4.4

Fixed in 9.3.5

Fixed in 9.2.4

Fixed in 9.1.3

Fixed in 9.0.5

Fixed in 8.9.4

Fixed in 8.8.5

Fixed in 8.7.4

Fixed in 8.6.4

Fixed in 8.5.3

Fixed in 8.4.5

Fixed in 8.3.3

Fixed in 8.2.6

Fixed in 8.1.4

Fixed in 8.0.3

Fixed in 7.9.4

Fixed in 7.8.4

Fixed in 7.7.6

Fixed in 7.6.4

Fixed in 7.5.7

Fixed in 7.4.5

Fixed in 7.3.5

Fixed in 7.2.5

Fixed in 7.1.5

Fixed in 7.0.5

Fixed in 6.9.4

Fixed in 6.8.5

Fixed in 6.7.4

Fixed in 6.6.5

Fixed in 6.5.4

Fixed in 6.4.6

Fixed in 6.3.7

Fixed in 6.2.5

Fixed in 6.1.5

Fixed in 6.0.4

Fixed in 5.9.4

Fixed in 5.8.4

Fixed in 5.7.5

Fixed in 5.6.5

Fixed in 5.5.5

Fixed in 5.4.4

Fixed in 5.3.4

Fixed in 5.2.5

Fixed in 5.1.4

Fixed in 5.0.3

Fixed in 4.9.3

Fixed in 4.8.5

Fixed in 4.7.4

Fixed in 4.6.3

Fixed in 4.5.3

Fixed in 4.4.5

Fixed in 4.3.5

Fixed in 4.2.5

Fixed in 4.1.4

Fixed in 4.0.7

Fixed in 3.9.10

References

CVE

URL

https://jetpack.com/blog/jetpack-13-9-1-critical-security-update/

Classification

Type

INCORRECT AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Marc Montpas

Submitter

Marc Montpas

Verified

Yes

WPVDB ID

669382af-f836-4896-bdcb-5c6a57c99bd9

Timeline

Publicly Published

2024-10-14 (about 1 year ago)

Added

2024-10-14 (about 1 year ago)

Last Updated

2024-10-15 (about 1 year ago)

Other

Published

Title

Published

2024-06-10

Title

WPS Hide Login < 1.9.16 - Login Page Disclosure

Published

2024-04-05

Title

PostX – Gutenberg Blocks for Post Grid < 3.2.4 - Incorrect Authorization

Published

2025-11-14

Title

Image Gallery – Photo Grid & Video Gallery < 2.12.29 - Author+ Arbitrary Image File Move

Published

2022-09-22

Title

Customer Reviews for WooCommerce < 5.3.6 - Broken Access Control

Published

2024-09-04

Title

SmartSearchWP < 2.4.6 - Unauthenticated OpenAI Key Disclosure