CVE-2024-10858 | THREATINT

Description

The Jetpack WordPress plugin before 14.1 does not properly checks the postmessage origin in its 13.x versions, allowing it to be bypassed and leading to DOM-XSS. The issue only affects websites hosted on WordPress.com.

PUBLISHED Reserved 2024-11-05 | Published 2024-12-25 | Updated 2024-12-26 | Assigner WPScan

Problem types

CWE-79 Cross-Site Scripting (XSS)

Product status

Default status

unaffected

13.0 (semver) before 14.1

affected

Credits

Eldar (hakupiku) finder

WPScan coordinator

References

wpscan.com/...rability/7fecba37-d718-4dd4-89f3-285fb36a4165/ exploit

wpscan.com/...rability/7fecba37-d718-4dd4-89f3-285fb36a4165/ exploit vdb-entry technical-description

cve.org (CVE-2024-10858)

nvd.nist.gov (CVE-2024-10858)

Download JSON