CVE-2024-10858 – This vulnerability in the Jetpack WordPress plu... (How to Fix)

Q: What is the severity of CVE-2024-10858?

CVE-2024-10858 has a CVSS score of 6.1 (MEDIUM). This vulnerability in the Jetpack WordPress plugin allows attackers to bypass postMessage origin checks, leading to DOM-based cross-site scripting (XSS). It affects websites hosted on WordPress.com using Jetpack versions before 14.1, specifically in the 13.x series. Attackers can inject malicious scripts into web pages, potentially compromising user sessions or data.

📋 TL;DR

This vulnerability in the Jetpack WordPress plugin allows attackers to bypass postMessage origin checks, leading to DOM-based cross-site scripting (XSS). It affects websites hosted on WordPress.com using Jetpack versions before 14.1, specifically in the 13.x series. Attackers can inject malicious scripts into web pages, potentially compromising user sessions or data.

💻 Affected Systems

Products:

Jetpack WordPress plugin

Versions: 13.x versions before 14.1

Operating Systems: All, as it's a WordPress plugin

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects websites hosted on WordPress.com; self-hosted WordPress sites are not vulnerable.

📦 What is this software?

Jetpack by Automattic

View all CVEs affecting Jetpack →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal sensitive user data, hijack admin sessions, deface websites, or distribute malware to visitors.

🟠

Likely Case

Attackers inject malicious scripts to steal cookies or session tokens, leading to account compromise or data theft.

🟢

If Mitigated

With proper input validation and security headers, impact is limited to minor script injection with no data loss.

🌐 Internet-Facing: HIGH, as it affects WordPress.com-hosted sites accessible from the internet, making them directly exploitable by remote attackers.

🏢 Internal Only: LOW, since the vulnerability is specific to WordPress.com hosting, which is typically internet-facing; internal-only deployments are not applicable.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM, as it requires crafting malicious postMessage payloads but no authentication.

Exploitation involves bypassing origin checks via postMessage, which may require user interaction or specific conditions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 14.1

Vendor Advisory: https://wpscan.com/vulnerability/7fecba37-d718-4dd4-89f3-285fb36a4165/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Jetpack and update to version 14.1 or later. 4. Verify the update completes successfully.

🔧 Temporary Workarounds

Disable Jetpack plugin

all

Temporarily deactivate the Jetpack plugin to mitigate the vulnerability until patching is possible.

wp plugin deactivate jetpack

Implement Content Security Policy (CSP)

all

Add a CSP header to restrict script execution and reduce XSS risk.

Add 'Content-Security-Policy: default-src 'self'; script-src 'self'' to web server configuration

🧯 If You Can't Patch

Monitor web traffic for unusual postMessage activity and block malicious IPs.
Use a web application firewall (WAF) to filter and block XSS payloads targeting this vulnerability.

🔍 How to Verify

Check if Vulnerable:

Check the Jetpack plugin version in WordPress admin under Plugins > Installed Plugins; if version is 13.x and below 14.1, it's vulnerable.

Check Version:

wp plugin get jetpack --field=version

Verify Fix Applied:

After updating, confirm the Jetpack version is 14.1 or higher in the plugin list.

📡 Detection & Monitoring

Log Indicators:

Unusual postMessage requests in web server logs, especially with suspicious script payloads.

Network Indicators:

HTTP requests containing crafted postMessage data targeting Jetpack endpoints.

SIEM Query:

source="web_logs" AND (url="*jetpack*" AND message="*postMessage*" AND (payload="*script*" OR payload="*alert*"))

📊 Metadata

CVE ID: CVE-2024-10858

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: December 25, 2024

Last Updated: May 14, 2025

🔗 References

https://wpscan.com/vulnerability/7fecba37-d718-4dd4-89f3-285fb36a4165/ Exploit,Third Party Advisory
https://wpscan.com/vulnerability/7fecba37-d718-4dd4-89f3-285fb36a4165/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10858, you might also want to check these: