CVE-2021-24374: 
PHP vulnerability analysis and mitigation

The Jetpack Carousel module vulnerability (CVE-2021-24374) was discovered in the JetPack WordPress plugin versions before 9.8. The vulnerability, identified by researcher nguyenhg_vcs, allowed unauthorized access to comments on non-published pages and posts through the Carousel module, which is designed to create image galleries with commenting capabilities (WPScan Details, CVE Details).

The vulnerability is classified as an Insecure Direct Object Reference (IDOR) issue with a CVSS score of 5.3 (medium severity) and is mapped to CWE-639. The exploit involves manipulating the 'id' parameter in POST requests to the admin-ajax.php endpoint, allowing attackers to access comments on non-public content by specifying valid media attachment IDs (WPScan Details).

The vulnerability could lead to the unauthorized disclosure of comments on non-published pages and posts, potentially exposing sensitive or private information that was intended to remain hidden until publication (Jetpack Blog).

The vulnerability was patched in Jetpack version 9.8. The development team, working with the WordPress.org Security Team, released patched versions for all Jetpack versions since 2.0. Sites with automatic updates were automatically secured. For sites running older versions, disabling the Carousel feature serves as a temporary mitigation (Jetpack Blog).