False alert from WP Scan | ww.wp.xz.cn

Resolved Alexander S. Kunz
(@antermoia)

1 year, 6 months ago
Hello,

I received an alert from Jetpack Scan this morning that my site is vulnerable to CVE-2024-10858 in Jetpack v13-v14 but upon further reading, I found that this vuln only affects wordpress.com hosted sites?

https://wpscan.com/vulnerability/7fecba37-d718-4dd4-89f3-285fb36a4165/

No harm done but it might be something that needs fine-tuning in the future.

Alexander.
- This topic was modified 1 year, 6 months ago by Alexander S. Kunz.

Viewing 4 replies - 1 through 4 (of 4 total)

Plugin Contributor James Huff
(@macmanx)

1 year, 6 months ago

The linked vulnerability affects Jetpack versions 13.0-14.0.

The current version of Jetpack is 14.1, released yesterday.

Always keep your plugins up to date: https://ww.wp.xz.cn/documentation/article/plugins-themes-auto-updates/#enable-auto-updates-for-plugins
Thread Starter Alexander S. Kunz
(@antermoia)

1 year, 6 months ago
From the linked page (bold+italics highlight by me)

Description

The plugin does not properly checks the postmessage origin in its 13.x versions, allowing it to be bypassed and leading to DOM-XSS. The issue only affects websites hosted on WordPress.com.

My site is not hosted on WordPress.com
- This reply was modified 1 year, 6 months ago by Alexander S. Kunz.
Plugin Support Alin (a11n)
(@alinclamba)

1 year, 6 months ago

Hi @antermoia,

Thank you for the follow-up!

My site is not hosted on WordPress.com

I’ll report this internally to our security team to double-check. Thank you for highlighting this.

Plugin Contributor Stef (a11n)
(@erania-pinnera)

1 year, 5 months ago

Hey @antermoia,

I’m going to mark this thread as solved. If you have any further questions or need more help, you’re welcome to open another thread here. Cheers!

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘False alert from WP Scan’ is closed to new replies.

4 replies
4 participants
Last reply from: Stef (a11n)
Last activity: 1 year, 5 months ago
Status: resolved