CVE-2023-2996
Published: 27 June 2023
Summary
CVE-2023-2996 is a high-severity an unspecified weakness vulnerability in Automattic Jetpack. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 12.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Jetpack WordPress plugin before version 12.1.1 is affected by a missing validation check on uploaded files. This flaw resides in the plugin's file-handling routines and enables manipulation of existing site files when processing certain uploads.
Users holding the author role or above can exploit the issue over the network without user interaction. Successful attacks allow deletion of arbitrary files on the server and, in limited configurations, remote code execution through phar deserialization, corresponding to the reported CVSS 8.8 rating.
Jetpack's security advisory and accompanying blog post state that the vulnerability is resolved by upgrading to version 12.1.1; the same guidance is mirrored in the WPScan entry for the issue. The associated EPSS score reached a modest peak of 0.0511 before receding to its current value of 0.0335.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-34432
Vulnerability details
The Jetpack WordPress plugin before 12.1.1 does not validate uploaded files, allowing users with author roles or above to manipulate existing files on the site, deleting arbitrary files, and in rare cases achieve Remote Code Execution via phar deserialization.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.