Jetpack < 9.8 - Carousel Module Non-Published Page/Post Attachment Comment Leak

Vulnerability

The Jetpack Carousel module in the Jetpack WordPress plugin before version 9.8 allows users to create image galleries and comment on images. A vulnerability discovered by nguyenhg_vcs causes comments from non-published (draft or private) pages/posts to be leaked via the Carousel comment feature [2][4]. Affected versions include all Jetpack versions from 2.0 up to 9.7.1 [3].

Exploitation

An attacker does not need authentication; they can exploit this by visiting a page that uses the Carousel module and accessing the comment data for images that belong to non-published posts. The exact mechanism likely involves the Carousel's AJAX endpoint not properly checking the publication status of the parent post before returning comments [4]. No user interaction beyond browsing the site is required.

Impact

Successful exploitation allows an attacker to view comments intended for non-published content, leading to information disclosure of potentially sensitive discussions or private feedback. The comments are leaked to any visitor of the site, bypassing the intended access controls [2][3].

Mitigation

The vulnerability is fixed in Jetpack version 9.8, released on June 1, 2021 [3]. Jetpack also released patched versions for all older branches (e.g., 2.0.8, 3.0.5, etc.) [3]. Users should update to the latest version. Automatic updates may have already applied the fix. No workaround is available other than disabling the Carousel module if updating is not possible.