CVE-2024-4392 in Jetpack Plugininfo

Summary

by MITRE • 05/14/2024

The Jetpack – WP Security, Backup, Speed, & Growth plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpvideo shortcode in all versions up to, and including, 13.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 01/22/2026

The vulnerability identified as CVE-2024-4392 affects the Jetpack plugin for WordPress, specifically targeting versions up to and including 13.3.1. This security flaw resides within the plugin's wpvideo shortcode functionality, which is commonly used to embed video content on WordPress websites. The issue represents a classic stored cross-site scripting vulnerability that can be exploited by authenticated attackers who possess contributor-level access or higher privileges within the WordPress environment. The vulnerability is particularly concerning because it allows attackers to inject malicious scripts that persist in the system and execute whenever any user accesses the affected pages, making it a significant threat to website security and user data integrity.

The technical root cause of this vulnerability stems from inadequate input sanitization and output escaping mechanisms within the wpvideo shortcode implementation. When users with sufficient privileges create or modify content containing the wpvideo shortcode, the plugin fails to properly validate or sanitize the attributes provided by users. This insufficient sanitization allows malicious input to be stored directly within the WordPress database, creating a persistent vector for attack. The vulnerability specifically affects user-supplied attributes that are processed through the shortcode system, meaning that any parameter passed to the wpvideo shortcode can potentially serve as an injection point for malicious scripts. This flaw aligns with CWE-79, which defines cross-site scripting as a weakness that occurs when an application includes untrusted data in a new web page without proper validation or escaping, or when it reuses a static string without ensuring that it is safe for the context.

The operational impact of this vulnerability extends beyond simple script execution, as it creates a persistent threat that can compromise multiple users within the affected WordPress installation. Once an attacker successfully injects malicious code through the wpvideo shortcode, the injected scripts will execute in the context of any user who accesses pages containing the vulnerable content, regardless of their privilege level. This creates a potential for widespread exploitation, as the scripts can access user sessions, steal credentials, perform unauthorized actions, or redirect users to malicious websites. The vulnerability is particularly dangerous in multi-user environments where contributors and higher-level users regularly create content, as it provides attackers with a legitimate path to inject malicious code through normal content creation workflows. The stored nature of the vulnerability means that the injected scripts remain active even after the initial attack, potentially allowing for long-term persistence and continued exploitation of the system.

Organizations affected by this vulnerability should prioritize immediate remediation through plugin updates to versions that address the XSS flaw. The recommended mitigation strategy involves upgrading to the latest version of the Jetpack plugin where the sanitization and escaping mechanisms have been properly implemented. Security teams should also consider implementing additional defensive measures such as input validation at the web application firewall level, monitoring for suspicious shortcode usage patterns, and conducting thorough security audits of user-generated content. The vulnerability demonstrates the importance of proper input validation and output escaping as fundamental security practices, aligning with ATT&CK technique T1566.001 which covers the use of malicious content in web applications. Additionally, this vulnerability underscores the necessity of least privilege principles and regular security assessments of third-party plugins, as the attack vector requires only contributor-level access, highlighting the critical need for comprehensive access control and monitoring within WordPress environments to prevent unauthorized code injection.

Reservation

05/01/2024

Disclosure

05/14/2024

Moderation

accepted

CPE

ready

EPSS

0.00372

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!