cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score
CVE-2024-10858,https://securityvulnerability.io/vulnerability/CVE-2024-10858,DOM-Based Cross-Site Scripting Vulnerability in Jetpack Plugin for WordPress,"The Jetpack plugin for WordPress, specifically versions prior to 14.1, is susceptible to a serious flaw that allows for DOM-based Cross-Site Scripting (XSS) attacks. This vulnerability arises from the plugin's failure to adequately verify the origin of post messages in its 13.x versions. Attackers can exploit this weakness to bypass security checks, potentially leading to the execution of malicious scripts on affected websites. This issue is significant for users of WordPress.com, as the affected environment facilitates these types of exploits without proper user consent or awareness. Website administrators using the plugin must update to the latest version to mitigate any risks associated with this vulnerability.",Wordpress,Jetpack,6.1,MEDIUM,0.0004299999854993075,false,,false,false,true,2024-12-25T06:00:02.000Z,true,false,false,,2024-12-25T06:00:02.663Z,0
CVE-2024-3941,https://securityvulnerability.io/vulnerability/CVE-2024-3941,Unprotected CSRF Vulnerability in Jetpack WordPress Plugin Could Lead to Stored XSS Attacks,"The reCAPTCHA Jetpack WordPress plugin through 0.2.2 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged-in admin add Stored XSS payloads via a CSRF attack.",Wordpress,Recaptcha Jetpack,,,0.0004299999854993075,false,,false,false,true,2024-05-14T14:42:00.000Z,true,false,false,,2024-05-14T15:42:00.000Z,0
CVE-2024-3940,https://securityvulnerability.io/vulnerability/CVE-2024-3940,reCAPTCHA Jetpack Plugin Vulnerable to CSRF Attacks,"The reCAPTCHA Jetpack WordPress plugin through 0.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack",Wordpress,Recaptcha Jetpack,,,0.0004299999854993075,false,,false,false,true,2024-05-14T14:42:00.000Z,true,false,false,,2024-05-14T15:42:00.000Z,0
CVE-2024-4392,https://securityvulnerability.io/vulnerability/CVE-2024-4392,Jetpack Plugin Vulnerable to Stored Cross-Site Scripting,"The Jetpack – WP Security, Backup, Speed, & Growth plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpvideo shortcode in all versions up to, and including, 13.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",Wordpress,"Jetpack – WP Security, Backup, Speed, & Growth",6.4,MEDIUM,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-05-14T08:32:31.906Z,0
CVE-2022-3342,https://securityvulnerability.io/vulnerability/CVE-2022-3342,PHAR Deserialization Vulnerability in Jetpack CRM Plugin for WordPress,"The Jetpack CRM plugin for WordPress has a vulnerability related to PHAR deserialization through the 'zbscrmcsvimpf' parameter in the 'zeroBSCRM_CSVImporterLitehtml_app' function. Although nonce verification is performed, failure to validate during two key steps leaves the system exposed. If an attacker uploads a crafted phar:// archive and convinces an administrator to follow a malicious link, they can exploit this vulnerability to inject objects into the execution stream.",Wordpress,"Jetpack Crm – Clients, Leads, Invoices, Billing, Email Marketing, & Automation",7.5,HIGH,0.0022799998987466097,false,,false,false,false,,,false,false,,2023-10-20T07:29:24.289Z,0
CVE-2023-2996,https://securityvulnerability.io/vulnerability/CVE-2023-2996,Jetpack < 12.1.1 - Author+ Arbitrary File Manipulation via API,"The Jetpack plugin for WordPress, prior to version 12.1.1, suffers from a serious vulnerability where it fails to validate uploaded files. This lack of validation permits users with author roles or higher to manipulate existing files on the site. Consequently, this could lead to arbitrary file deletions and, in certain rare instances, even allow attackers to achieve remote code execution through phar deserialization. Website administrators should promptly update to mitigate potential security risks.",Wordpress,Jetpack,8.8,HIGH,0.0037299999967217445,false,,false,false,false,,,false,false,,2023-06-27T14:15:00.000Z,0
CVE-2022-4497,https://securityvulnerability.io/vulnerability/CVE-2022-4497,Jetpack CRM < 5.5 - Contributor+ Stored XSS,"The Jetpack CRM WordPress plugin before 5.5 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins",Wordpress,Jetpack Crm,5.4,MEDIUM,0.000539999979082495,false,,false,false,false,,,false,false,,2023-01-09T22:13:36.385Z,0
CVE-2022-3919,https://securityvulnerability.io/vulnerability/CVE-2022-3919,Jetpack CRM < 5.4.3 - Admin+ Cross-Site Scripting,"The Jetpack CRM WordPress plugin before 5.4.3 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.",Wordpress,Jetpack Crm,4.8,MEDIUM,0.000539999979082495,false,,false,false,false,,,false,false,,2022-12-12T17:54:41.219Z,0
CVE-2021-24374,https://securityvulnerability.io/vulnerability/CVE-2021-24374,Jetpack < 9.8 - Carousel Module Non-Published Page/Post Attachment Comment Leak,"The Jetpack Carousel module of the JetPack WordPress plugin before 9.8 allows users to create a ""carousel"" type image gallery and allows users to comment on the images. A security vulnerability was found within the Jetpack Carousel module by nguyenhg_vcs that allowed the comments of non-published page/posts to be leaked.",Wordpress,"Jetpack – WP Security, Backup, Speed, & Growth",5.3,MEDIUM,0.0009599999757483602,false,,false,false,false,,,false,false,,2021-06-21T19:18:21.000Z,0
CVE-2015-9359,https://securityvulnerability.io/vulnerability/CVE-2015-9359,Cross-Site Scripting Vulnerability in Jetpack Plugin for WordPress,"A cross-site scripting vulnerability exists in the Jetpack plugin for WordPress due to improper sanitization of user input in functions add_query_arg() and remove_query_arg(). This flaw can potentially allow attackers to inject malicious scripts into web pages viewed by unsuspecting users, leading to unauthorized actions and data exposure. Users of the Jetpack plugin should ensure they are using version 3.4.3 or later to mitigate this risk.",Wordpress,Jetpack,6.1,MEDIUM,0.0006600000197067857,false,,false,false,false,,,false,false,,2019-08-28T14:23:20.000Z,0
CVE-2016-10705,https://securityvulnerability.io/vulnerability/CVE-2016-10705,,The Jetpack plugin before 4.0.4 for WordPress has XSS via the Likes module.,Wordpress,Jetpack,6.1,MEDIUM,0.0006699999794363976,false,,false,false,false,,,false,false,,2018-01-12T19:29:00.000Z,0
CVE-2016-10706,https://securityvulnerability.io/vulnerability/CVE-2016-10706,,The Jetpack plugin before 4.0.3 for WordPress has XSS via a crafted Vimeo link.,Wordpress,Jetpack,6.1,MEDIUM,0.0006699999794363976,false,,false,false,false,,,false,false,,2018-01-12T19:29:00.000Z,0
CVE-2014-0173,https://securityvulnerability.io/vulnerability/CVE-2014-0173,,"The Jetpack plugin before 1.9 before 1.9.4, 2.0.x before 2.0.9, 2.1.x before 2.1.4, 2.2.x before 2.2.7, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.2, 2.6.x before 2.6.3, 2.7.x before 2.7.2, 2.8.x before 2.8.2, and 2.9.x before 2.9.3 for WordPress does not properly restrict access to the XML-RPC service, which allows remote attackers to bypass intended restrictions and publish posts via unspecified vectors.  NOTE: some of these details are obtained from third party information.",Wordpress,Jetpack,,,0.004569999873638153,false,,false,false,false,,,false,false,,2014-04-22T13:06:00.000Z,0
CVE-2011-4673,https://securityvulnerability.io/vulnerability/CVE-2011-4673,,SQL injection vulnerability in modules/sharedaddy.php in the Jetpack plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter.,Wordpress,Jetpack,,,0.0006399999838322401,false,,false,false,false,,,false,false,,2011-12-02T18:00:00.000Z,0