PT-2024-16597 · WordPress · Jetpack
Eldar
·
Published
2024-12-25
·
Updated
2024-12-26
·
CVE-2024-10858
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Jetpack WordPress plugin versions prior to 14.1
Description
The issue is related to the Jetpack WordPress plugin not properly checking the postmessage origin in its 13.x versions, allowing it to be bypassed and leading to DOM-XSS. The problem only affects websites hosted on WordPress.com.
Recommendations
For versions prior to 14.1, update to version 14.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the postmessage functionality until a patch is available.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jetpack