Jetpack < 12.7 – Authenticated(Contributor+) Clickjacking via Iframe Injection | CVE 2023-47774 | Plugin Vulnerabilities

Description

The Jetpack – WP Security, Backup, Speed, & Growth plugin for WordPress is vulnerable to Clickjacking via iframe injection due to an unknown parameter in all versions up to and including 12.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject iframes in pages that can be used to make users perform actions on untrusted sites.

Affects Plugins

Fixed in 12.7

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/92a3e622-b3b2-450e-82a7-0a942711e8c0

Classification

Type

INJECTION

OWASP top 10

CVSS

Miscellaneous

Original Researcher

Rafie Muhammad

Verified

Yes

WPVDB ID

01a0ffcd-3bf6-434c-9fd0-d5570ed4f336

Timeline

Publicly Published

2023-11-16 (about 5 months ago)

Added

2023-11-24 (about 5 months ago)

Last Updated

2023-11-24 (about 5 months ago)

Other

Published

Title

Published

2021-09-09

Title

WordPress 5.4 to 5.8 - Lodash Library Update

Published

2023-10-09

Title

EventPrime < 3.2.0 - Reflected HTML Injection on keyword parameter

Published

2020-07-09

Title

Wise Chat < 2.8.4 - CSV Injection

Published

2017-04-19

Title

AccessPress Social Icons < 1.6.8 - Authenticated SQL Injections

Published

2024-05-14

Title

Insert or Embed Articulate Content into WordPress <= 4.3000000023 - Iframe Injection