关键漏洞信息 漏洞描述 名称: Jetpack < 13.8 - Unauthenticated Arbitrary Block & Shortcode Execution 描述: 插件未确保通过联系表单创建的帖子仅对授权用户可见,可能导致未授权用户运行任意短代码和块。 影响插件 插件: Jetpack 修复版本: 13.8 参考信息 CVE编号: CVE-2024-10075 分类 类型: IDOR (Insecure Direct Object References) OWASP Top 10: A5: Broken Access Control CWE编号: CWE-639 CVSS评分: 5.6 (中等) 其他信息 原始研究员: Marc Montpas 提交者: Marc Montpas 验证状态: Yes WPVDB ID: a984976c-291a-4f68-90d4-e452605ea7d1 时间线 公开发布日期: 2024-09-04 添加日期: 2024-10-17 最后更新日期: 2024-10-17 其他相关漏洞 2023-07-07: Getnet Argentina para Woocommerce < 0.0.5 - Unauthenticated Authorization Bypass 2025-02-21: WP Job Portal < 2.2.9 - Insecure Direct Object Reference to Authenticated (Subscriber+) User Photo Disconnection 2025-01-10: Unlimited Theme Addon For Elementor and WooCommerce < 1.2.3 - Authenticated (Contributor+) Post Disclosure 2024-08-26: Timetics < 1.0.24 - Authorization Bypass 2021-03-31: Realteo < 1.2.4 - Arbitrary Property Deletion via IDOR