The Jetpack WordPress plugin before 12.1.1 does not validate uploaded files, allowing users with author roles or above to manipulate existing files on the site, deleting arbitrary files, and in rare cases achieve Remote Code Execution via phar deserialization.
References
Link | Resource |
---|---|
https://jetpack.com/blog/jetpack-12-1-1-critical-security-update/ | Vendor Advisory |
https://wpscan.com/vulnerability/52d221bd-ae42-435d-a90a-60a5ae530663 | Exploit Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: WPScan
Published: 2023-06-27T13:17:07.479Z
Updated: 2023-06-27T13:17:07.479Z
Reserved: 2023-05-30T19:10:08.911Z
Link: CVE-2023-2996
JSON object: View
NVD Information
Status : Modified
Published: 2023-06-27T14:15:11.723
Modified: 2023-11-07T04:13:39.247
Link: CVE-2023-2996
JSON object: View
Redhat Information
No data.
CWE
No CWE.