CVE-2024-9926
Published: 07 November 2024
Summary
CVE-2024-9926 is a medium-severity an unspecified weakness vulnerability in Automattic Jetpack. Its CVSS base score is 4.3 (Medium).
Operationally, ranked in the top 4.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Jetpack WordPress plugin is affected by CVE-2024-9926, a missing authorization vulnerability in one of its REST endpoints. The flaw permits any authenticated user, including those with subscriber-level privileges, to access arbitrary feedback data submitted through the Jetpack Contact Form. It carries a CVSS v3.1 score of 4.3 reflecting network attack vector, low complexity, and limited impact confined to confidentiality.
An attacker with a valid WordPress account can exploit the endpoint to retrieve sensitive contact form submissions that would otherwise be restricted. This enables unauthorized disclosure of user-provided information without requiring elevated privileges or user interaction.
The single available reference points to a WPScan advisory entry but supplies no explicit mitigation guidance or patch details. The associated EPSS score has remained flat at 0.2280 with no observed rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-50216
Vulnerability details
The Jetpack WordPress plugin does not have proper authorisation in one of its REST endpoint, allowing any authenticated users, such as subscriber to read arbitrary feedbacks data sent via the Jetpack Contact Form
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.