WordPress Jetpack plugin <= 9.7.1 - Attached Image Comment Leak For Non-Published Post And Pages in Carousel Feature

jetpack

Software
Jetpack
Versions
<= 9.7.1
Disclosure date
2021-06-01
CVE
CVE-2021-24374
Credits
Classification
Insecure Direct Object References (IDOR)
OWASP Top 10
A5: Broken Access Control
CVSS 3.0 score

5.3

Medium

The CVSS base score is above medium, but the real impact is way lower.

Are your websites subject to this vulnerability?

Details

Page/Post Attachment Comment Leak Of Not Published Post And Pages in Carousel Feature discovered by nguyenhg_vcs in WordPress Jetpack plugin (versions <= 9.7.1).

Solution

Update the WordPress Jetpack plugin to the latest available version (at least 9.8).

Found a vulnerability that puts your sites at risk?

Found a vulnerability? Help us secure the web and join our community of ethical hackers.

Are you the developer of this software? Hire our researchers for a thorough security audit.