CVE-2023-54332
Unknown Unknown - Not Provided

Cross-Site Scripting in Jetpack 11.4 Contact Form Module

Vulnerability report for CVE-2023-54332, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-13

Last updated on: 2026-01-13

Assigner: VulnCheck

Description

Jetpack 11.4 contains a cross-site scripting vulnerability in the contact form module that allows attackers to inject malicious scripts through the post_id parameter. Attackers can craft malicious URLs with script payloads to execute arbitrary JavaScript in victims' browsers when they interact with the contact form page.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-13
Last Modified
2026-01-13
Generated
2026-07-06
AI Q&A
2026-01-14
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
automattic jetpack 11.4

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2023-54332 is a cross-site scripting (XSS) vulnerability in Jetpack version 11.4, specifically in the contact form module. It occurs because the post_id parameter does not properly sanitize user input, allowing attackers to inject malicious JavaScript code. When a victim interacts with a crafted URL containing this malicious script, the script executes in their browser, potentially exposing sensitive information or performing unauthorized actions. [1, 3]

Impact Analysis

This vulnerability can impact you by allowing attackers to execute arbitrary JavaScript in the browsers of users who visit the affected contact form page with a maliciously crafted URL. This can lead to theft of sensitive information such as cookies, session hijacking, or other malicious actions performed in the context of the victim's browser session. [1, 3]

Detection Guidance

This vulnerability can be detected by testing the contact form module of Jetpack version 11.4 for reflected cross-site scripting (XSS) via the post_id parameter. A practical detection method is to craft and visit a URL similar to: http://localhost/modules/contact-form/grunion-form-view.php?post_id=<script>alert(document.cookie)</script> and observe if the script executes in the browser. This indicates the presence of the vulnerability. No specific network commands are provided, but manual testing of the URL with the malicious payload is suggested. [1, 3]

Mitigation Strategies

Immediate mitigation steps include updating the Jetpack plugin to a version later than 11.4 where the vulnerability is fixed. Additionally, enabling Jetpack's security features such as the Web Application Firewall (WAF) can help block malicious traffic exploiting this vulnerability. As a temporary measure, avoid interacting with suspicious URLs containing the post_id parameter with script payloads and consider disabling the contact form module until a patch is applied. [2, 3]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2023-54332. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart