CVE-2024-10075: 
WordPress vulnerability analysis and mitigation

The Jetpack WordPress plugin before version 13.8 contains a security vulnerability identified as CVE-2024-10075. The vulnerability stems from improper access control in the Contact Form functionality, where posts created by the form are not properly restricted to authorized users. This security issue was discovered by Marc Montpas and publicly disclosed on September 4, 2024 (WPScan).

The vulnerability is classified as an Insecure Direct Object Reference (IDOR) issue and falls under the OWASP Top 10 category A5: Broken Access Control (CWE-639). It has been assigned a CVSS v3.1 score of 5.6 (medium severity), with the vector string AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L. The technical issue lies in the plugin's failure to implement proper access controls for posts generated through the Contact Form functionality (WPScan, NVD).

When exploited, this vulnerability allows unauthenticated users to execute arbitrary shortcodes and blocks through the Contact Form functionality. This could potentially lead to unauthorized access to content and execution of unintended functionality on the WordPress site (CVE Mitre).

The vulnerability has been fixed in Jetpack version 13.8. Site administrators are strongly advised to update their Jetpack WordPress plugin to this version or later to protect against this security issue (WPScan).