#VU22896 Input validation error in Jetpack by WordPress.com


Published: 2019-11-21

Vulnerability identifier: #VU22896

Vulnerability risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Jetpack by WordPress.com
Web applications / Modules and components for CMS

Vendor: Automattic

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to the way Jetpack processed embed code. A remote attacker can execute arbitrary code on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Jetpack by WordPress.com: 5.1 - 7.9 beta3

External links
http://wpvulndb.com/vulnerabilities/9955/
http://plugins.trac.wordpress.org/changeset/2196895/jetpack
http://github.com/Automattic/jetpack/commit/5e38904da8eda0bc86b29fd5298c222e362583df
http://jetpack.com/2019/11/19/jetpack-7-9-1-maintenance-security/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Remote code execution in Automattic Jetpack by WordPress.com plugin