CVE-2024-10075 is a medium-severity vulnerability affecting the Jetpack WordPress plugin versions prior to 13.8. The vulnerability is classified under CWE-639, which refers to Authorization Bypass Through User-Controlled Key. Specifically, the issue arises because Jetpack does not properly restrict access to posts created by its Contact Form feature. This flaw allows unauthenticated users to access these posts and execute arbitrary shortcodes embedded within them. Shortcodes in WordPress are macros that can execute code or display dynamic content, and arbitrary shortcode execution can lead to unauthorized actions such as content manipulation, information disclosure, or even code execution depending on the shortcode functionality. The vulnerability does not require any authentication or user interaction, making it remotely exploitable over the network. The CVSS 3.1 base score is 5.6 (medium), reflecting a network attack vector with high attack complexity but no privileges or user interaction required. The impact includes limited confidentiality, integrity, and availability loss, as attackers can potentially manipulate or disrupt content by injecting or running malicious shortcodes. No known exploits are currently reported in the wild, and no official patches or updates are linked yet, though the issue is documented and assigned by WPScan and CISA. The vulnerability affects an unknown range of Jetpack versions before 13.8, with the affectedVersions field showing '0' likely indicating all versions before the fix. This vulnerability highlights the importance of proper authorization checks on user-generated content and the risks of shortcode execution without validation in WordPress plugins.

For European organizations using WordPress sites with the Jetpack plugin, this vulnerability could lead to unauthorized content manipulation or information disclosure via the Contact Form feature. Attackers could exploit this flaw to inject malicious shortcodes that may alter website content, deface pages, or execute unintended code snippets, potentially undermining the integrity and availability of web resources. This could damage organizational reputation, disrupt business operations, and expose sensitive data if shortcodes enable data leakage. Given the widespread use of WordPress and Jetpack in Europe for corporate, governmental, and e-commerce websites, the vulnerability poses a tangible risk to web presence and trustworthiness. However, the medium severity and high attack complexity somewhat limit the immediacy of impact. Organizations with public-facing WordPress sites that rely on Jetpack’s Contact Form should be particularly vigilant, as the flaw allows unauthenticated remote exploitation without user interaction. The lack of known exploits in the wild currently reduces immediate threat but does not eliminate risk, especially as threat actors may develop exploits once patches are available or if the vulnerability is reverse-engineered.

1. Immediate mitigation should include disabling or restricting the Contact Form feature in Jetpack until an official patch or update is released. 2. Implement strict access controls and validation on posts created via the Contact Form to ensure only authorized users can view or execute content. 3. Use Web Application Firewalls (WAFs) to detect and block suspicious shortcode execution attempts or unusual POST requests targeting the Contact Form endpoints. 4. Monitor logs for unusual activity related to shortcode usage or unauthorized access attempts. 5. Keep WordPress core, Jetpack, and all plugins updated regularly, applying security patches promptly once available. 6. Consider sandboxing or restricting shortcode execution capabilities to minimize potential damage from malicious shortcodes. 7. Conduct security audits and penetration testing focused on shortcode injection and authorization bypass scenarios. 8. Educate site administrators about the risks of shortcode misuse and the importance of plugin security hygiene.