CVE-2024-9926

The Jetpack WordPress plugin does not have proper authorisation in one of its REST endpoint, allowing any authenticated users, such as subscriber to read arbitrary feedbacks data sent via the Jetpack Contact Form

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://wpscan.com/vulnerability/669382af-f836-4896-bdcb-5c6a57c99bd9/	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:automattic:jetpack::::::wordpress::*
	cpe:2.3:a:automattic:jetpack::::::wordpress::*
	cpe:2.3:a:automattic:jetpack::::::wordpress::*
	cpe:2.3:a:automattic:jetpack::::::wordpress::*
	cpe:2.3:a:automattic:jetpack::::::wordpress::*
	cpe:2.3:a:automattic:jetpack:13.0:::::wordpress::
	cpe:2.3:a:automattic:jetpack:13.5:::::wordpress::
	cpe:2.3:a:automattic:jetpack:13.6:::::wordpress::
	cpe:2.3:a:automattic:jetpack:13.7:::::wordpress::
	cpe:2.3:a:automattic:jetpack:13.9:::::wordpress::

History

28 May 2025, 20:51

Type	Values Removed	Values Added
CWE		NVD-CWE-noinfo
CPE		cpe:2.3:a:automattic:jetpack::::::wordpress::* cpe:2.3:a:automattic:jetpack:13.7:::::wordpress:: cpe:2.3:a:automattic:jetpack:13.9:::::wordpress:: cpe:2.3:a:automattic:jetpack:13.0:::::wordpress:: cpe:2.3:a:automattic:jetpack:13.5:::::wordpress:: cpe:2.3:a:automattic:jetpack:13.6:::::wordpress::
First Time		Automattic jetpack Automattic
References	~~() https://wpscan.com/vulnerability/669382af-f836-4896-bdcb-5c6a57c99bd9/ -~~	() https://wpscan.com/vulnerability/669382af-f836-4896-bdcb-5c6a57c99bd9/ - Exploit, Third Party Advisory

Information

Published : 2024-11-07 15:15

Updated : 2025-05-28 20:51

NVD link : CVE-2024-9926

Mitre link : CVE-2024-9926

CVE.ORG link : CVE-2024-9926

JSON object : View

Products Affected

automattic

jetpack

CWE

NVD-CWE-noinfo

{"id": "CVE-2024-9926", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2024-11-07T15:15:05.860", "references": [{"url": "https://wpscan.com/vulnerability/669382af-f836-4896-bdcb-5c6a57c99bd9/", "tags": ["Exploit", "Third Party Advisory"], "source": "contact@wpscan.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "The Jetpack WordPress plugin does not have proper authorisation in one of its REST endpoint, allowing any authenticated users, such as subscriber to read arbitrary feedbacks data sent via the Jetpack Contact Form"}, {"lang": "es", "value": "El complemento Jetpack WordPress no tiene la autorizaci\u00f3n adecuada en uno de sus endpoints REST, lo que permite que cualquier usuario autenticado, como un suscriptor, lea datos de comentarios arbitrarios enviados a trav\u00e9s del formulario de contacto de Jetpack."}], "lastModified": "2025-05-28T20:51:40.900", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:automattic:jetpack:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "52C880A8-10D6-465C-BBE4-A16E616C8265", "versionEndExcluding": "13.1.4", "versionStartIncluding": "13.1"}, {"criteria": "cpe:2.3:a:automattic:jetpack:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "FCFCEFF3-DA25-44C4-9146-79E80F032119", "versionEndExcluding": "13.2.3", "versionStartIncluding": "13.2"}, {"criteria": "cpe:2.3:a:automattic:jetpack:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "FBAB98F8-28E4-4734-99BC-409FB23A2C29", "versionEndExcluding": "13.3.2", "versionStartIncluding": "13.3"}, {"criteria": "cpe:2.3:a:automattic:jetpack:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "6721DC26-A954-4946-80E3-D258756C30FE", "versionEndExcluding": "13.4.4", "versionStartIncluding": "13.4"}, {"criteria": "cpe:2.3:a:automattic:jetpack:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "286CD858-41BC-4B3B-B438-197FF083DC26", "versionEndExcluding": "13.8.2", "versionStartIncluding": "13.8"}, {"criteria": "cpe:2.3:a:automattic:jetpack:13.0:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "192B904F-72CC-47F4-90DE-809F4B7C5210"}, {"criteria": "cpe:2.3:a:automattic:jetpack:13.5:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "36B9ED36-0F34-4CC3-A094-C75D205F293D"}, {"criteria": "cpe:2.3:a:automattic:jetpack:13.6:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "35BDF8B0-6721-4EC5-95D9-1B4B705CBD59"}, {"criteria": "cpe:2.3:a:automattic:jetpack:13.7:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "4997D8BF-600C-432B-9669-86C887EF3A84"}, {"criteria": "cpe:2.3:a:automattic:jetpack:13.9:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "48FF3595-22A6-43F3-869F-21A539307C29"}], "operator": "OR"}]}], "sourceIdentifier": "contact@wpscan.com"}