CVE-2023-2996
N/A
N/A
Summary
The Jetpack WordPress plugin before 12.1.1 does not validate uploaded files, allowing users with author roles or above to manipulate existing files on the site, deleting arbitrary files, and in rare cases achieve Remote Code Execution via phar deserialization.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Unknown | Jetpack | 1.9 < 2.0.9 | affected |
| Unknown | Jetpack | 2.1 < 2.1.7 | affected |
| Unknown | Jetpack | 2.2 < 2.2.10 | affected |
| Unknown | Jetpack | 2.3 < 2.3.10 | affected |
| Unknown | Jetpack | 2.4 < 2.4.7 | affected |
| Unknown | Jetpack | 2.5 < 2.5.5 | affected |
| Unknown | Jetpack | 2.6 < 2.6.6 | affected |
| Unknown | Jetpack | 2.7 < 2.7.5 | affected |
| Unknown | Jetpack | 2.8 < 2.8.5 | affected |
| Unknown | Jetpack | 2.9 < 2.9.6 | affected |
| Unknown | Jetpack | 3.0 < 3.0.6 | affected |
| Unknown | Jetpack | 3.1 < 3.1.5 | affected |
| Unknown | Jetpack | 3.2 < 3.2.5 | affected |
| Unknown | Jetpack | 3.3 < 3.3.6 | affected |
| Unknown | Jetpack | 3.4 < 3.4.6 | affected |
| Unknown | Jetpack | 3.5 < 3.5.6 | affected |
| Unknown | Jetpack | 3.6 < 3.6.4 | affected |
| Unknown | Jetpack | 3.7 < 3.7.5 | affected |
| Unknown | Jetpack | 3.8 < 3.8.5 | affected |
| Unknown | Jetpack | 3.9 < 3.9.9 | affected |
| Unknown | Jetpack | 4.0 < 4.0.6 | affected |
| Unknown | Jetpack | 4.1 < 4.1.3 | affected |
| Unknown | Jetpack | 4.2 < 4.2.4 | affected |
| Unknown | Jetpack | 4.3 < 4.3.4 | affected |
| Unknown | Jetpack | 4.4 < 4.4.4 | affected |
| Unknown | Jetpack | 4.5 < 4.5.2 | affected |
| Unknown | Jetpack | 4.6 < 4.6.2 | affected |
| Unknown | Jetpack | 4.7 < 4.7.3 | affected |
| Unknown | Jetpack | 4.8 < 4.8.4 | affected |
| Unknown | Jetpack | 4.9 < 4.9.2 | affected |
| Unknown | Jetpack | 5.0 < 5.0.2 | affected |
| Unknown | Jetpack | 5.1 < 5.1.3 | affected |
| Unknown | Jetpack | 5.2 < 5.2.4 | affected |
| Unknown | Jetpack | 5.3 < 5.3.3 | affected |
| Unknown | Jetpack | 5.4 < 5.4.3 | affected |
| Unknown | Jetpack | 5.5 < 5.5.4 | affected |
| Unknown | Jetpack | 5.6 < 5.6.4 | affected |
| Unknown | Jetpack | 5.7 < 5.7.4 | affected |
| Unknown | Jetpack | 5.8 < 5.8.3 | affected |
| Unknown | Jetpack | 5.9 < 5.9.3 | affected |
| Unknown | Jetpack | 6.0 < 6.0.3 | affected |
| Unknown | Jetpack | 6.1 < 6.1.4 | affected |
| Unknown | Jetpack | 6.2 < 6.2.4 | affected |
| Unknown | Jetpack | 6.3 < 6.3.6 | affected |
| Unknown | Jetpack | 6.4 < 6.4.5 | affected |
| Unknown | Jetpack | 6.5 < 6.5.3 | affected |
| Unknown | Jetpack | 6.6 < 6.6.4 | affected |
| Unknown | Jetpack | 6.7 < 6.7.3 | affected |
| Unknown | Jetpack | 6.8 < 6.8.4 | affected |
| Unknown | Jetpack | 6.9 < 6.9.3 | affected |
| Unknown | Jetpack | 7.0 < 7.0.4 | affected |
| Unknown | Jetpack | 7.1 < 7.1.4 | affected |
| Unknown | Jetpack | 7.2 < 7.2.4 | affected |
| Unknown | Jetpack | 7.3 < 7.3.4 | affected |
| Unknown | Jetpack | 7.4 < 7.4.4 | affected |
| Unknown | Jetpack | 7.5 < 7.5.6 | affected |
| Unknown | Jetpack | 7.6 < 7.6.3 | affected |
| Unknown | Jetpack | 7.7 < 7.7.5 | affected |
| Unknown | Jetpack | 7.8 < 7.8.3 | affected |
| Unknown | Jetpack | 7.9 < 7.9.3 | affected |
| Unknown | Jetpack | 8.0 < 8.0.2 | affected |
| Unknown | Jetpack | 8.1 < 8.1.3 | affected |
| Unknown | Jetpack | 8.2 < 8.2.5 | affected |
| Unknown | Jetpack | 8.3 < 8.3.2 | affected |
| Unknown | Jetpack | 8.4 < 8.4.4 | affected |
| Unknown | Jetpack | 8.5 < 8.5.2 | affected |
| Unknown | Jetpack | 8.6 < 8.6.3 | affected |
| Unknown | Jetpack | 8.7 < 8.7.3 | affected |
| Unknown | Jetpack | 8.8 < 8.8.4 | affected |
| Unknown | Jetpack | 8.9 < 8.9.3 | affected |
| Unknown | Jetpack | 9.0 < 9.0.4 | affected |
| Unknown | Jetpack | 9.1 < 9.1.2 | affected |
| Unknown | Jetpack | 9.2 < 9.2.3 | affected |
| Unknown | Jetpack | 9.3 < 9.3.4 | affected |
| Unknown | Jetpack | 9.4 < 9.4.3 | affected |
| Unknown | Jetpack | 9.5 < 9.5.4 | affected |
| Unknown | Jetpack | 9.6 < 9.6.3 | affected |
| Unknown | Jetpack | 9.7 < 9.7.2 | affected |
| Unknown | Jetpack | 9.8 < 9.8.2 | affected |
| Unknown | Jetpack | 9.9 < 9.9.2 | affected |
| Unknown | Jetpack | 10.0 < 10.0.1 | affected |
| Unknown | Jetpack | 10.1 < 10.1.1 | affected |
| Unknown | Jetpack | 10.2 < 10.2.2 | affected |
| Unknown | Jetpack | 10.3 < 10.3.1 | affected |
| Unknown | Jetpack | 10.4 < 10.4.1 | affected |
| Unknown | Jetpack | 10.5 < 10.5.2 | affected |
| Unknown | Jetpack | 10.6 < 10.6.2 | affected |
| Unknown | Jetpack | 10.7 < 10.7.1 | affected |
| Unknown | Jetpack | 10.8 < 10.8.1 | affected |
| Unknown | Jetpack | 10.9 < 10.9.2 | affected |
| Unknown | Jetpack | 11.0 < 11.0.1 | affected |
| Unknown | Jetpack | 11.1 < 11.1.3 | affected |
| Unknown | Jetpack | 11.2 < 11.2.1 | affected |
| Unknown | Jetpack | 11.3 < 11.3.3 | affected |
| Unknown | Jetpack | 11.4 < 11.4.1 | affected |
| Unknown | Jetpack | 11.5 < 11.5.2 | affected |
| Unknown | Jetpack | 11.6 < 11.6.1 | affected |
| Unknown | Jetpack | 11.7 < 11.7.2 | affected |
| Unknown | Jetpack | 11.8 < 11.8.5 | affected |
| Unknown | Jetpack | 11.9 < 11.9.2 | affected |
| Unknown | Jetpack | 12.0 < 12.0.1 | affected |
| Unknown | Jetpack | 12.1 < 12.1.1 | affected |
Weaknesses
- CWE-20 Improper Input Validation
ADP Enrichment
CVE Program Container
Additional References
- https://wpscan.com/vulnerability/52d221bd-ae42-435d-a90a-60a5ae530663
- https://jetpack.com/blog/jetpack-12-1-1-critical-security-update/
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
References
- https://wpscan.com/vulnerability/52d221bd-ae42-435d-a90a-60a5ae530663
- https://jetpack.com/blog/jetpack-12-1-1-critical-security-update/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.