Cyber Resilience

CVE-2023-2996

HighPublic PoC

Published: 27 June 2023

Published
27 June 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0335 87.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-2996 is a high-severity an unspecified weakness vulnerability in Automattic Jetpack. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 12.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Jetpack WordPress plugin before version 12.1.1 is affected by a missing validation check on uploaded files. This flaw resides in the plugin's file-handling routines and enables manipulation of existing site files when processing certain uploads.

Users holding the author role or above can exploit the issue over the network without user interaction. Successful attacks allow deletion of arbitrary files on the server and, in limited configurations, remote code execution through phar deserialization, corresponding to the reported CVSS 8.8 rating.

Jetpack's security advisory and accompanying blog post state that the vulnerability is resolved by upgrading to version 12.1.1; the same guidance is mirrored in the WPScan entry for the issue. The associated EPSS score reached a modest peak of 0.0511 before receding to its current value of 0.0335.

EU & UK References

Vulnerability details

The Jetpack WordPress plugin before 12.1.1 does not validate uploaded files, allowing users with author roles or above to manipulate existing files on the site, deleting arbitrary files, and in rare cases achieve Remote Code Execution via phar deserialization.

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

automattic
jetpack
≤ 12.1.1

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References