First published: Tue Jun 27 2023(Updated: )
The Jetpack WordPress plugin before 12.1.1 does not validate uploaded files, allowing users with author roles or above to manipulate existing files on the site, deleting arbitrary files, and in rare cases achieve Remote Code Execution via phar deserialization.
Credit: contact@wpscan.com
Affected Software | Affected Version | How to fix |
---|---|---|
Automattic Jetpack | <12.1.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-2996 is a vulnerability in the Jetpack WordPress plugin before version 12.1.1 that allows users with author roles or above to manipulate existing files on the site and potentially achieve Remote Code Execution.
CVE-2023-2996 affects the Jetpack WordPress plugin before version 12.1.1 by allowing users with author roles or above to upload and manipulate files on the site, potentially leading to the deletion of arbitrary files and in rare cases, remote code execution.
CVE-2023-2996 has a severity rating of 8.8 (High).
To fix CVE-2023-2996, update your Jetpack WordPress plugin to version 12.1.1 or later. It is also recommended to regularly update all WordPress plugins and themes to ensure the security of your site.
For more information about CVE-2023-2996, you can refer to the official Jetpack blog post on the critical security update (link: https://jetpack.com/blog/jetpack-12-1-1-critical-security-update/) or the vulnerability report on WPScan (link: https://wpscan.com/vulnerability/52d221bd-ae42-435d-a90a-60a5ae530663).