CVE-2023-2996: Improper Input Validation

June 27, 2023 (updated November 7, 2023)

The Jetpack WordPress plugin before 12.1.1 does not validate uploaded files, allowing users with author roles or above to manipulate existing files on the site, deleting arbitrary files, and in rare cases achieve Remote Code Execution via phar deserialization.

References

jetpack.com/blog/jetpack-12-1-1-critical-security-update/
nvd.nist.gov/vuln/detail/CVE-2023-2996
wpscan.com/vulnerability/52d221bd-ae42-435d-a90a-60a5ae530663

Code Behaviors & Features

Detect and mitigate CVE-2023-2996 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →