CVE-2022-50958

Vulnerability

Overview

CVE-2022-50958 is a reflected cross-site scripting (XSS) vulnerability in the WordPress plugin Jetpack version 9.1. The flaw resides in the grunion-form-view.php endpoint, where the post_id` parameter is not properly sanitized before being reflected in the response. An unauthenticated attacker can inject arbitrary JavaScript by crafting a maliciously crafted URLs, leading to script execution in the context of the victim's browser session [1][2].

Exploitation

To exploit this vulnerability, an attacker crafts a URL pointing to the vulnerable endpoint with a malicious payload in the post_id parameter. For example, a URL like http://localhost/modules/contact-form/grunion-form-view.php?post_id=<script>alert("XSS")</script> will cause the script to execute when a victim visits the link. No authentication is required, and the attack can be delivered via social engineering or by embedding the link insecurely embedding the link on other sites [2][3].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the browser of any user who clicks the crafted link. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The CVSS v3 base score is 6.1 (Medium), reflecting the need for user interaction but the lack of authentication requirements [2].

Mitigation

Users should update Jetpack to a version newer than 9.1, as the vulnerability has been addressed in subsequent releases. The vendor has released patches, and the plugin's official page provides the latest secure version [1]. No workaround is available other than upgrading. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.