Unrated severityNVD Advisory· Published May 15, 2025· Updated May 20, 2025

Jetpack < 13.8, Boost < 3.4.8 - Contributor+ Stored XSS

CVE-2024-10076

Description

The Jetpack WordPress plugin before 13.8, Jetpack Boost WordPress plugin before 3.4.8 use regexes in the Site Accelerator features when switching image URLs to their CDN counterpart. Unfortunately, some of them may match patterns it shouldn’t, ultimately making it possible for contributor and above users to perform Stored XSS attacks

Affected products

Automattic/Jetpack Boostllm-create
Range: <3.4.8
WordPress/Jetpackllm-fuzzy
Range: <13.8
Package: https://wordpress.org/plugins/jetpack

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

wpscan.com/vulnerability/15f278f6-0418-4c83-b925-b1a2d8c53e2f/mitreexploitvdb-entrytechnical-description

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000