CVE-2024-9926: 
WordPress vulnerability analysis and mitigation

The Jetpack WordPress plugin (CVE-2024-9926) contains an authorization vulnerability that affects versions prior to 13.9.1. The vulnerability was discovered and disclosed on November 7, 2024. The issue exists in one of the REST endpoints, which lacks proper authorization controls, allowing any authenticated users, including those with subscriber-level access, to read arbitrary feedback data submitted through the Jetpack Contact Form (NVD, WPScan).

The vulnerability stems from improper authorization implementation in the WordPress REST API endpoint 'wp/v2/feedback'. The issue has been assigned a CVSS v3.1 base score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified as an Incorrect Authorization issue (CWE-863) according to the Common Weakness Enumeration system (NVD, WPScan).

When exploited, this vulnerability allows authenticated users with subscriber-level access to read arbitrary feedback data that has been submitted through the Jetpack Contact Form. This unauthorized access to potentially sensitive information could compromise user privacy and data confidentiality (WPScan).

The vulnerability has been patched in Jetpack version 13.9.1. Site administrators are strongly advised to update to this version or later to protect against unauthorized access to feedback data. The fix has also been backported to multiple earlier versions of Jetpack, including versions 13.8.2, 13.7.1, and earlier releases (WPScan).