WordPress Plugin Vulnerabilities

Jetpack < 13.8 - Unauthenticated Arbitrary Block & Shortcode Execution

Description

The plugin does not ensure that the post created by the Contact Form is only accessible to authorised users, which could allow unauthenticated users to run arbitrary shortcodes and block.

Affects Plugins

Plugin icon
jetpack
Fixed in 13.8

References

CVE
CVE-2024-10075

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
5.6 (medium)

Miscellaneous

Original Researcher
Marc Montpas
Submitter
Marc Montpas
Verified
Yes
WPVDB ID
a984976c-291a-4f68-90d4-e452605ea7d1

Timeline

Publicly Published
2024-09-04 (about 1 year ago)
Added
2024-10-17 (about 1 year ago)
Last Updated
2024-10-17 (about 1 year ago)

Other

Published
Title
Published
2022-02-10
Title
Spiffy Calendar < 4.9.1 - Subscriber+ Arbitrary Event Edition/Deletion via IDOR
Published
2025-02-23
Title
Amelia < 1.2.17 - Unauthenticated Insecure Direct Object Reference
Published
2025-01-10
Title
Post Duplicator < 2.37 - Authenticated (Contributor+) Protected Post Disclosure
Published
2025-07-08
Title
Support Board < 3.8.1 - Unauthenticated Authorization Bypass due to Use of Default Secret Key
Published
2025-10-16
Title
Binary MLM Plan <= 5.0 - Authenticated (Subscriber+) Insecure Direct Object Reference